我有一个包含所有个人信息(姓名、名字、出生日期、电子邮件等)的人员列表。我想向每个人发送一封电子邮件,其中包含一个链接,一旦点击,他们就可以直接访问在我们的网站上连接。无需输入密码。
我按照 Firebase 程序进行无密码身份验证:
- 从后面用Python。为连接生成电子邮件链接
- 用于 Angular Js 的前端。在网页中完成登录
- Fireship.io 教程
但是大多数示例不太适合我的用例。
大多数例子:
- 用户访问您的网站,要求进行无密码身份验证,输入他的电子邮件,(电子邮件存储在
window.location.href
) - 用户收到一封带有登录链接的电子邮件,他点击它
- 用户在您的网站上,已登录(感谢他存储在 中的电子邮件
window.location.href
)。
我的用例:
- 没有任何。我已经有了用户的电子邮件,所以我直接将链接发送给他以进行连接。
- 用户收到一封带有登录链接的电子邮件,他点击它
- 用户在我的网站上,但必须在提示符中再次输入他的电子邮件(因为它显然没有存储在 中
window.location.href
)。
在我的情况下,该window.location.href
变量将永远不会被使用。而且我不希望我的用户在单击链接后必须重新输入他的电子邮件。既然我已经有了他的email,为什么还要再问他呢?
那么如何跳过这一步呢?这样做有什么安全风险吗?
到目前为止,这是我的代码:
后退:
import firebase_admin
from firebase_admin import auth
from google.cloud import firestore
def create_new_auth(dictionary):
user = auth.create_user(
email=dictionary['email'],
email_verified=True,
phone_number=dictionary['phone'],
password='super_secure_password_007',
display_name=f"{dictionary['firstName']} {dictionary['lastName']}",
disabled=False)
print('Sucessfully created new user: {0}'.format(user.uid))
return user.uid
def create_new_pre_user(db, dictionary, uid):
dictionary = {
'uid': uid,
'email': dictionary['email'],
'lastName': dictionary['lastName'],
'gender': dictionary['gender'],
'birthday': dictionary['birthday'],
'phone': dictionary['phone'],
'firstName': dictionary['firstName']
}
db.collection(u'users').document(uid).set(dictionary)
def main(dictionary):
firebase_admin.initialize_app()
db = firestore.Client()
uid = create_new_auth(dictionary)
create_new_pre_user(db, dictionary, uid)
action_code_settings = auth.ActionCodeSettings(
url=f'http://localhost:4200/login',
handle_code_in_app=True,
ios_bundle_id='com.example.ios',
android_package_name='com.example.android',
android_install_app=True,
android_minimum_version='12',
dynamic_link_domain='magic42.page.link',
)
link = auth.generate_sign_in_with_email_link(dictionary['email'], action_code_settings)
if __name__ == '__main__':
dictionary = {
"firstName": "Jone",
"lastName": "Doe",
"birthday": 12345678,
"gender": "male",
"email": "john.doe@gmail.com",
"phone": "+33611223344"
}
main(dictionary)
正面:
private signInWithEmail() {
if (this.authService.isSignInWithEmailLink(window.location.href)) {
// Additional state parameters can also be passed via URL.
// This can be used to continue the user's intended action before triggering
// the sign-in operation.
// Get the email if available. This should be available if the user completes
// the flow on the same device where they started it.
let email = window.localStorage.getItem('emailForSignIn');
if (!email) {
// User opened the link on a different device. To prevent session fixation
// attacks, ask the user to provide the associated email again. For example:
email = window.prompt('Please provide your email for confirmation');
}
// The client SDK will parse the code from the link for you.
this.authService.signInWithEmailLink(email, window.location.href)
.then((result) => {
// Clear email from storage.
window.localStorage.removeItem('emailForSignIn');
// You can access the new user via result.user
// Additional user info profile not available via:
// result.additionalUserInfo.profile == null
// You can check if the user is new or existing:
// result.additionalUserInfo.isNewUser
this.router.navigate(['/patient', 'quiz'])
})
.catch((error) => {
// Some error occurred, you can inspect the code: error.code
// Common errors could be invalid email and invalid or expired OTPs.
});
}
}
isSignInWithEmailLink(href) {
return this.afAuth.auth.isSignInWithEmailLink(href);
}
signInWithEmailLink(email: string, href: string) {
return this.afAuth.auth.signInWithEmailLink(email, href)
}
编辑
问题是,当他第一次使用该链接访问我们的网站时,前台不知道用户的电子邮件。有一种方法可以将email
信息从我们的服务器端传递到前端,但在 URL 中很清楚:根据 Firebase 本身(链接) ,这是有风险的并且不是一个好的做法
像这样:
def main(dictionary):
firebase_admin.initialize_app()
db = firestore.Client()
uid = create_new_auth(dictionary)
create_new_pre_user(db, dictionary, uid)
action_code_settings = auth.ActionCodeSettings(
url=f'http://localhost:4200/login/?email=john.doe@gmail.com',
handle_code_in_app=True,
ios_bundle_id='com.example.ios',
android_package_name='com.example.android',
android_install_app=True,
android_minimum_version='12',
dynamic_link_domain='magic42.page.link',
)
link = auth.generate_sign_in_with_email_link(dictionary['email'], action_code_settings)
那么如何将email
信息从后面传递到前面,以便用户在单击我的“魔术链接”后重定向到我的网站时不必再次输入?