How to trigger a cloud function in Firebase on password change?

Question

I am trying to trigger a Firebase cloud function when a user changes their password, be it by changing the password (firebase.auth().currentUser. updatePassword(newPassword) ) or by reseting it (firebase.auth(). sendPasswordResetEmail(email) ). Since I am not storing password anywhere I can not use .onUpdate trigger (or any other of the triggers).

I found a similar question, but it only asked about a trigger on password change and there is no info about a workaround: Firebase cloud function listener for password change

Edit: with this trigger I want to send an email to user that their password has been changed.

Does anyone have any ideas? Is it possible at all?

Answer 1

Workaround

If you're using Firestore, you can use Cloud Firestore triggers as a workaround.

Step 1

Create a Cloud Function called sendEmail.

  // This cloud function will get triggered when a new document is added to `emails` collection.
  exports.sendEmail = functions.firestore
    .document('emails/{documentId}')
    .onCreate(async (snapshot, context) => {
        const data = snapshot.data()
        const user = data.user

        if (data.changedPassword == true) {
          // send email to the user saying password was changed
        } else if (data.changedEmail == true) { 
          // send email to the user saying the email address was changed
        }
    })

Step 2

Write a document to your emails collection anytime the user updates their password.

// After you call .updatePassword() or .confirmPasswordReset()
// then you do this

const db = firebase.firestore();

db.collection("emails").add({
    user: {INSERT USER ID HERE}",
    changedPassword: true, //changedEmail: true,
})
.then((docRef) => {
    // handle success
})
.catch((error) => {
    // handle error
});

(Optional) Step 3

Write a Firebase Rule to protect the emails collection. The rule says: "Only allow documents to be written to the emails collection if the user field matches the authenticated user."

Summary

On the client, you'll write a new document to the emails collection anytime you want to send an email. The document will include fields for the user id and the type of email (e.g. changedPassword, changedEmail). Your cloud function will automatically send emails when documents are added to the emails collection. Firestore Rules will ensure emails are sent only to the intended user.

This system is reusable for any type of email you want to send the user. In my app, I send emails to the user when their password is changed and when their email is changed.

Answer 2

What you want is totally possible, but you'll have to implement it yourself. As the link you found states, there is no built-in on-password-update account trigger... only onCreate and onDelete account triggers. Which means we have to handle it manually. I would handle it the same way you are heading - using a cloud function to send the user an email.

I would build a cloud function named something like notifyUserOfPasswordChange() and call that cloud function from your app immediately after the line of code where you call .updatePassword() or .confirmPasswordReset() (which is the finishing step after .sendPasswordResetEmail()). If I understand the point of your question - this is the real answer here. You will need to call a cloud function manually whenever you execute password update code. There's no automated trigger.

The email can be as simple or customized as you code it. If you're unsure, then start simple and have the cloud function get the target email address from the data parameter - and then use a generic message for the email body. If you feel more adventurous, consider passing the user's UID and using the Admin SDK to look up that user's registered email address & display name and then building a prettier & personalized HTML email.

As far as how to send an email from Firebase cloud functions, there are plenty of examples out there - a good sample is on Firebase's GitHub page.