docs/auth/password-auth.md
Project: /docs/_project.yaml Book: /docs/_book.yaml
<link rel="stylesheet" type="text/css" href="/styles/docs.css" />You can use Firebase Authentication to let your users authenticate with Firebase using email addresses and passwords.
If you haven't already, follow the steps in the Get started guide.
Enable Email/Password sign-in:
To create a new user account with a password, call the createUserWithEmailAndPassword()
method:
try {
final credential = await FirebaseAuth.instance.createUserWithEmailAndPassword(
email: emailAddress,
password: password,
);
} on FirebaseAuthException catch (e) {
if (e.code == 'weak-password') {
print('The password provided is too weak.');
} else if (e.code == 'email-already-in-use') {
print('The account already exists for that email.');
}
} catch (e) {
print(e);
}
Typically, you would do this from your app's sign-up screen. When a new user signs up using your app's sign-up form, complete any new account validation steps that your app requires, such as verifying that the new account's password was correctly typed and meets your complexity requirements.
If the new account was created successfully, the user is also signed in. If you are listening to changes in authentication state, a new event will be sent to your listeners.
As a follow-up to creating a new account, you can Verify the user's email address.
Note: To protect your project from abuse, Firebase limits the number of new email/password and anonymous sign-ups that your application can have from the same IP address in a short period of time. You can request and schedule temporary changes to this quota from the Firebase console.
The steps for signing in a user with a password are similar to the steps for
creating a new account. From your your app's sign-in screen, call
signInWithEmailAndPassword():
try {
final credential = await FirebaseAuth.instance.signInWithEmailAndPassword(
email: emailAddress,
password: password
);
} on FirebaseAuthException catch (e) {
if (e.code == 'invalid-credential') {
// Email or password is incorrect. Projects with email enumeration
// protection enabled (the default since September 2023) return this
// code instead of 'user-not-found' or 'wrong-password'.
print('Invalid email or password.');
} else if (e.code == 'user-not-found') {
// Only returned when email enumeration protection is disabled.
print('No user found for that email.');
} else if (e.code == 'wrong-password') {
// Only returned when email enumeration protection is disabled.
print('Wrong password provided for that user.');
}
}
Note: Since September 2023, Firebase enables
email enumeration protection
by default on new projects. With this feature enabled, user-not-found and
wrong-password error codes are replaced by invalid-credential to prevent
revealing whether an email address is registered. You can manage this setting in
the Firebase console under Authentication > Settings.
Caution: When a user uninstalls your app on iOS or macOS, the user's authentication state can persist between app re-installs, as the Firebase iOS SDK persists authentication state to the system keychain. See issue #4661 for more information.
After a user creates a new account, this account is stored as part of your Firebase project, and can be used to identify a user across every app in your project, regardless of what sign-in method the user used.
In your apps, you can get the user's basic profile information from the
User object. See Manage Users.
In your Firebase Realtime Database and Cloud Storage Security Rules, you can
get the signed-in user's unique user ID from the auth variable, and use it to
control what data a user can access.
You can allow users to sign in to your app using multiple authentication providers by linking auth provider credentials) to an existing user account.
To sign out a user, call signOut():
await FirebaseAuth.instance.signOut();