I'm managing my own email sign in on a Firebase web application, so I send verification emails and create authenticated users in cloud functions. Here is how I currently create new users:
const admin = require('firebase-admin')
admin.initializeApp()
...
userRecord = await admin.auth().createUser({
email: signInData.email,
emailVerified: true
})
I want it set up so users never create, reset or manage a password in any way. They can only request sign in emails.
The docs say all properties are optional when creating new users:
Note: All of the above properties are optional. If a certain property is not specified, the value for that property will be empty unless a default is mentioned in the above table.
I don't provide users a way to reset their password, so is there any risk in leaving a user password empty?
There's no risk. In fact, passwordless sign in seems more secure as there's no risk of users using some common weak passwords or writing them somewhere. Also the user must have access to their email to login so unless they've shared their email with someone or the email is compromised, the account is safe.
There's a blog on Is passwordless authentication more secure than passwords?. I'll recommend reading that for detailed information.