1

I have decided to switch my customer base over to email link sign in with Firebase rather than Google/Email/Apple that I was previously doing.

I got everything set up, tested, and all was working well. Since I have now released customer wide I am starting to run into issues.

Some customers, including gmail users are getting a Suspicious email alert due to having a firebaseapp.com link in it. Today, I created a brand new project for a customer and went to log in for the first time, Gmail as all good, but now Chrome is giving me a "Deceptive site ahead" error page saying this website does phishing (the subdomain is about 6 hours old).

Can anyone think of an appropriate solution for this, or will I have to do some URL rewriting?

It is frustrating the firebase URLs are so blacklisted across the internet(I have had to omit storage url links for pictures and make custom emails altogether since the domain is banned by Exchange), I would think this should be much easier than it is being made out to be.

When I first ran into the Gmail issue the only thing Firebase support gave me as a solution is to build my own custom email handler. In following that, I assume I would either need to rewrite the domain after generating the sign in link, which I am a bit hesitant to do in case there are domain changes in the future or I wondered if updating my email template domain will solve the problem. When I started this process I realized I needed to update my DNS records for this. The problem here is that I whitelabel apps and have 150 projects or so and each customer gets their own project. The management of this is really not feasible.

I have dynamic links enabled for all projects and use the projectid.page.link domain for them if there is some way I can get that to work as well.

Joe Duemig
  • 15
  • 4
  • Unfortunately this is common these days. The two main steps to mitigate are to: 1. Add a custom domain, 2. use a custom SMTP server. Also see: https://stackoverflow.com/questions/72922475/why-did-this-code-fail-to-send-password-reset-link-in-firebase/72922603#72922603 Unfortunately that isn't any less manual work per project. – Frank van Puffelen Jan 03 '23 at 19:51
  • Frank, I noticed one of the TXT records requested is: firebase=*projectId* Would this work in my case if I put a TXT record for every single project? This is the problem child that would require all the work. Another question is if we could use firebase hosting for this? Use *projectId*.web.app, I don't see how we can modify the DNS, but are these records already set for hosting urls? – Joe Duemig Jan 03 '23 at 21:22
  • For what is that `TXT` record requested? – Frank van Puffelen Jan 03 '23 at 21:32
  • When you click "Customize Domain" for email templates (I assume this is what updates the signinlink url domain as well), you put the domain in and it asks you to add four records to your DNS, 2 TXT records and 2 CNAME records. All of them are static and do not change between projects except the second TXT record is "firebase=*projectId*". In my case, I am white-labeling and all projects would go to the same website, would I need 150 TXT records with the Firebase project, a comma delimited list of projects, would it not work at all? Is there a way around this particular TXT record. – Joe Duemig Jan 04 '23 at 14:00
  • The other option I asked about was how we go about using firebase hosting to host the custom email handler since I don't see a way for us to change the DNS records for *projectId*.web.app – Joe Duemig Jan 04 '23 at 14:03

0 Answers0