Search code examples
pythonfirebasefirebase-admin

Firebase Admin user authentication not sending sms, only creates users directly

I am new to firebase admin and I want firebase admin through my python back end to verify a users phone number before creating the user

I am using instructions in the below documentation link https://firebase.google.com/docs/auth/admin/manage-users#update_a_user

Right now, I am able to successfully create users using firebases' authentication flow using users phone numbers, the only problem is that no SMS is being sent to the user-entered phone number

How do I make firebase admin send SMS to the user's phone number before registering them?

-----EDITS------

from rest_framework.decorators import api_view, renderer_classes
from rest_framework.renderers import JSONRenderer, TemplateHTMLRenderer


@api_view(('POST',))
@renderer_classes((TemplateHTMLRenderer, JSONRenderer))
def SendPhoneCodeView(request):
    import firebase_admin
    from firebase_admin import credentials
    from firebase_admin import auth

    cred = credentials.Certificate('PhoneNumberVerify/firebase-admin.json')
    firebase_admin.initialize_app(cred)
    phone = request.data.get('phone')
    print('phone is')
    print(phone)
    user = auth.create_user(phone_number=phone)

    print('User Created Successfully')
    print(user.uid)
Solution

  • The Admin SDKs are considered a "source of truth" and any data you write to Firebase Authentication using them is considered to be correct and valid. This is why adding a phone number on a user's account does not trigger SMS verification - it is assumed to belong to that user.

    There isn't any way you can generate OTPs or trigger SMS for Firebase Phone auth using Admin SDK unlike email auth action links. You would have to rely on Firebase Client SDKs to send the SMS when the user tries to log in. If they are the intended user and have their phone, they will be able to log in.

    You can read more about it here -> Send a verification code to user's phone

    If you really want to verify user's phone number before creating their account, you would have to manually create and manage the auth flow and use services like Twilio for sending SMS. It'll involve creating your own custom codes and storing them in a database along with the verification code generation and then verifying it, adding rate limits so no one can randomly try all codes possible.

    I don't see any severe security threat (unless someone else has their phone or the number is transferred to someone else) or something in not verifying number before creating account, users will need access to there phone to log in anytime.