In Firebase Authentication, when you call sendPasswordResetEmail() with a user's email, what is the immediate behavior of the service?
firebase.auth().sendPasswordResetEmail(userEmail);
Think about what a password reset email is supposed to do.
Calling sendPasswordResetEmail() triggers Firebase to send an email to the user with a link to reset their password. The password is not changed automatically, and no password data is returned.
Firebase password reset flow includes sending a reset link to the user's email. Which security risk does this flow primarily prevent?
Consider what access is required to reset a password.
The reset link is sent to the user's email, so only someone with access to that email can change the password, preventing unauthorized changes.
To customize the password reset email sent by Firebase, which configuration setting must you modify in the Firebase Console or via API?
Think about where email templates are managed in Firebase.
Firebase Authentication section includes email templates for password reset, verification, and welcome emails.
When a user clicks the password reset link sent by Firebase, what is the recommended architecture to securely handle the reset process?
Consider how to verify the reset code and collect the new password safely.
Firebase Hosting can serve a secure page that uses Firebase SDK to verify the reset code and let the user enter a new password safely.
To improve security in Firebase password reset flow, which practice is recommended?
Think about limiting the window of opportunity for attackers.
Short expiration times reduce the risk of reset links being used maliciously after a long time.