Please complete authentication features

ros

#1

So far:

Besides of this I find concerning the way these issues are handled. For example, the reset/forgot password functionality issue was opened more than 1 year ago and so far there hasn’t been a lot of progress. The overall tone of Realm’s staff in these issues also gives me the impression these features are seen as tangential / low prio. Someone even suggested to use a CLI command to reset passwords, which, well, no comments.

And I don’t understand this, because authentication is a requirement to use the ROS and forgot password, reset password, delete account and confirmation emails are a part of it. If I release my app without forget password users that forget their passwords will probably end uninstalling my app and giving it a bad rating. I at least can say that I’d be enraged, though can’t speak from experience since I never have came across anything with authentication and no way to reset the password. And they can’t even delete the account and create it again, because that feature is also not ready yet.

Also, one of the major appeals of using ROS is “serverless” - most of us don’t need / want to do anything with the ROS except starting it, and then using it in the app via the SDK. Expecting us to roll our own authentication / email server and get this to work properly with Realm it’s not what I would expect from a paid product. Judging by several comments in the linked posts, I’m not alone with this.

The most frustrating part of this is that I still don’t see a change in attitude here - there’s nothing concrete of when these features will be fully supported, except some “plans” “at some point”.

This is not a nice to have - it’s urgent, it should have been available since authentication became available.

This kind of things makes me doubt sometimes about the seriously of Realm. It’s for the most part a good product, but then there’s also this puzzling total lack of awareness.

Please take this complaint as constructive criticism - I’m not interested in a discussion, just please fix / complete your authentication process.


#2

Easy on the venting bro, there is no act of congress that requires you to use Realm. Having said that I do share the desire for easy to implement authentication to be a first-class citizen with the product and it has not so I sought of understand, because this craft is not easy.

What I have done in one of my app, is to use Firebase Authentication which provides an out of the box no pain authentication to handle user-facing authentication workflow and then manage sync user object with code.

After DigitalOcean refreshed my server and wiped out my users data, I started creating a workaround that uses just Realm Database on the device and saves the data @ Firebase Datastore, then Realm Cloud was announced and I started evaluating it.

So, if you are attracted to Realm because of the many things it does right, you should be kinda patient and/or create work arounds to suit your need.


#3

Just to make sure it is covered here as well, I tried to shed more light on the situation with my comment here: https://github.com/realm/realm-object-server/issues/16#issuecomment-364753351


#4

Ok, thanks.

@valokafor it’s precisely because Realm is good that I’m sticking to it and spending my time writing this complaint instead of switching to another product. Complaint as in “please fix it”, which I think is legitimate and shared by many other others.

I don’t really want to add another dependency to my workflow (i.e. Firebase) + don’t have the time right now, but it seems this will be necessary.

Keep the good work and all that, but please fix it :slight_smile:


#5

Concrete question: What would you think is a realistic timeline for your authentication being production ready?

I ask because I still have a few months until I release my app, so if I know that your authentication will be ready in e.g. 5 months, I’d wait.

But if you say it takes more, I’d probably start now to implement firebase authentication.


#6

We should be releasing some improvements (password reset and email confirmation) to the password provider in the coming weeks. Preliminary support has already landed in ROS but it’s too barebones and poorly documented, which is why we’d like to polish it a little before documenting the flow. Sorry for the time this has taken but we are optimistic about solving most of the concerns you’ve outlined much earlier than your app’s projected release date.


#7

We can’t release our app to our users for beta testing without password reset. It would frighten them off.

We’re now concerned we won’t be able to beta test until after Realm Cloud GA. We can’t charge our users while our app is in beta, but Realm will be charging us, so beta testing is going to be quite expensive for us.

I think Realm recognise that password reset has been a blocker for a number of devs who are developing for Realm Cloud. Will GA be pushed back until after we are able to test with password reset?


#8

As @nirinchev mentioned this functionality is coming potentially as early as next week. @Nosl we definitely will work with you to make sure you can test before charging anything as we definitely understand the


#9

@nirinchev thanks…
but you say “most”… we can’t release with most, we need all… for example, you don’t mention forgot password, which is different to reset password… or what am I supposed to understand under “most”?

Btw, for the meantime, perhaps you should inform the users that your authentication isn’t production ready and provide full examples how to implement custom authentication with major providers like Firebase. It’s very misleading at the moment because this isn’t stated anywhere. The examples and everything always show your own provider - which leads us to think this is ready to use.


#10

When I say reset password, I mean functionality to allow users to request that an email be sent with a link to reset their password and choose a new one. Not sure if that’s different from what you have in mind about forgot password.

And I said “most” because it’s not clear to me what some of these points include. For example “No confirmation emails for register / change password” may mean that you expect that ROS sends an email to the user to notify them that they’ve changed their password which doesn’t seem like critical functionality.

Ultimately, authentication is a very broad field and deciding when a system is production ready depends heavily on your app’s requirements. With the upcoming improvements, I’m fairly confident we’ll cover most apps’ needs, but for some advanced scenarios, such as two-factor authentication or sms verification, the password provider may never be considered “production ready”. This is why we’ve made it extremely easy to integrate with auth0 or similar services, whose entire business model is based on providing extremely feature rich authentication API. In terms of documentation, we have examples on integrating with cognito and will soon publish tutorials for auth0.

In any case, if you outline your app’s authentication requirements, I’d be happy to give you some broad timelines on when you can expect us to ship these features. We’d like to be as transparent as possible as we have no interest in misleading you into using our built-in auth providers if they’re not going to be complete enough by the time you launch your app.


#11

Thanks for the detailed response @nirinchev

I’m perfectly fine with the standard / basic features, no special needs. With the confirmation emails, I meant the typical “confirm you registration” email, in the case of register, and the email to reset the password, which you just mentioned.

It was important to mention specifically forgot password, because reset password can be understood as when you’re already logged in an just want to change it. But you just also clarified that this will be included as well, so all good.

Please understand the irritation so far, the clarity, concerning this topic, which you have brought in with this last message, is missing everywhere else.


#12

My vote is that we get our hands on the new authentication features sooner rather than later. While Realm Cloud is in beta I think devs understand bugs are part of the deal. By giving it to us sooner we can find bugs sooner. It also lets us work out how we work the new auth features into our workflow.


#13

I think authentication is not realms major purpose and therefore authentication should not be priority. From the beginning I found it strange that this was even offered and would never embed this in my productive version since it also would make my product even more depending on the database/cloud database solution. Therefore very happy with the Auth0-Plug and play system which works perfectly for me.


#14

We’ve rolled out password/reset and email confirmation functionality to all instances now. It depends on the username used to register the user being their email. By default emails are sent from [email protected], but you can change that if you provide your own SMTP connection string.


#15

Any documentation coming?


#16

Let me be the first to make a mess of this. From the Realm Cloud log for our instance:
`Failed to start provider PasswordAuthProvider(password) with config {“autoCreateAdminUser”:true,“emailHandlerConfig”:{“connectionString”:,“from”:[email protected],“baseUrl”:“https://***.us1a.cloud.realm.io/”}}. Error: TypeError: Cannot create property ‘mailer’ on string

my-smtp-server is the server I use in send mail config for my email client.

I’ve created a ticket at support.realm.io


#18

@nirinchev That’s great to read! Some questions: Is there documentation available and when do you think this functionality will be available in the clients (in my case interested in iOS/Swift)?


#19

The docs are being written, so hopefully by next week we’ll have it. We’re updating the SDKs currently, so they should expose convenience API in their next releases. In the meantime, you can redirect your users to https://my-instance-name.cloud.realm.io/reset-password where they’ll be able to initiate the password reset flow themselves. If you’re in a rush though and the web form doesn’t fit well in your app flow, I can outline the HTTP API you can call manually to initiate the reset flow.


#20

Hi,

As im about to go live start of next month will appreciate if you can outline the http API.
Is there an option to control password complexity upon reset? Via the link you sent user can set a one letter password for example.
Thank you


#21

Thanks @nirinchev!

I’m not sure I’ll need the HTTP API but other people seem interested in it, so this is in any case welcome.

Will registration confirmation email also be available (seems fitting if there’s forgot password)?
Edit: You actually wrote “We’ve rolled out password/reset and email confirmation” before so I guess that’s a yes.

A last question - since it was listed in the initial points - will the next version of the client SDKs support delete account too?

I’m just planning 1-2 days to integrate all this (i.e. finish everything authentication related) once the SDK is ready and would be interested in knowing about when this could be.