Build an in-app password change screen for authenticated users with three fields: current password, new password, and confirm new password. Verify the current password by re-authenticating with Firebase Auth. Validate the new password for minimum 8 characters, one uppercase letter, and one number using a Custom Function that returns a strength score for the progress meter. On successful update, sign out the user and redirect to login so they re-authenticate with the new password.
Building an In-App Password Change Screen
This screen lets logged-in users change their password from within the app. It differs from the forgot password flow (#28) because the user is already authenticated and must verify their current password first. This is a security feature found in every production app.
Prerequisites
- A FlutterFlow project with Firebase or Supabase authentication configured
- Email/password authentication enabled
- The user must be logged in to access this page
Step-by-step guide
Create the password form with three fields and visibility toggles
Create the password form with three fields and visibility toggles
Create a ResetPasswordPage. Add a Column with three TextField widgets: Current Password (obscureText: true, prefixIcon: lock), New Password (obscureText: true, prefixIcon: lock_outline), Confirm New Password (obscureText: true, prefixIcon: lock_outline). For each field, add a suffixIcon IconButton that toggles between visibility and visibility_off — on tap, toggle a Page State boolean (showCurrentPw, showNewPw, showConfirmPw) and bind obscureText to its inverse. Add Page State variables for each field value.
Expected result: Three password fields with show/hide toggles for each.
Add a password strength meter below the new password field
Add a password strength meter below the new password field
Below the New Password field, add a LinearPercentIndicator (height 6, borderRadius 3). Bind the percent value to a Custom Function that calculates password strength: returns 0.0 for empty, 0.25 for length >= 8, 0.5 if also has uppercase, 0.75 if also has number, 1.0 if also has special character. Set progressColor conditionally: red below 0.5, amber below 0.75, green at 0.75+. Add a Text label below showing the strength level ('Weak', 'Fair', 'Good', 'Strong').
Expected result: A color-coded progress bar shows password strength updating in real-time as the user types.
Validate all fields before attempting the password update
Validate all fields before attempting the password update
On the Update Password button tap, run validation checks: (1) current password is not empty, (2) new password meets minimum requirements (>= 8 chars, 1 uppercase, 1 number), (3) new password matches confirm password, (4) new password is different from current password. Show specific error messages for each failure: 'Current password is required', 'Password must be at least 8 characters with one uppercase letter and number', 'Passwords do not match', 'New password must be different from current'.
Expected result: Validation checks all conditions and shows specific error messages before any auth actions.
Verify current password using re-authentication
Verify current password using re-authentication
Before updating, verify the current password by attempting to re-authenticate. In a Custom Action, use Firebase Auth: EmailAuthProvider.credential(email: currentUser.email, password: currentPassword), then currentUser.reauthenticateWithCredential(credential). If this succeeds, the current password is correct. If it throws, show 'Current password is incorrect.' This prevents anyone with a temporarily unlocked device from changing the password.
1import 'package:firebase_auth/firebase_auth.dart';23Future<bool> verifyCurrentPassword(String currentPassword) async {4 try {5 final user = FirebaseAuth.instance.currentUser!;6 final credential = EmailAuthProvider.credential(7 email: user.email!,8 password: currentPassword,9 );10 await user.reauthenticateWithCredential(credential);11 return true;12 } catch (e) {13 return false;14 }15}Expected result: Re-authentication confirms the current password is correct before allowing the change.
Update the password and sign out for re-authentication
Update the password and sign out for re-authentication
After successful verification, use the Auth Action: Update Password with the new password value. On success: show a Snackbar 'Password updated successfully', then Auth Action: Sign Out, then Navigate (Replace Route) to the Login page. Signing out forces the user to log in again with their new password, ensuring the credential is fresh. On failure: show the specific error message from the auth provider.
Expected result: Password updates and the user is signed out and redirected to login with the new password.
Complete working example
1import 'package:firebase_auth/firebase_auth.dart';23/// Verify the current password by re-authenticating.4Future<bool> verifyCurrentPassword(String currentPassword) async {5 try {6 final user = FirebaseAuth.instance.currentUser!;7 final credential = EmailAuthProvider.credential(8 email: user.email!,9 password: currentPassword,10 );11 await user.reauthenticateWithCredential(credential);12 return true;13 } on FirebaseAuthException catch (e) {14 debugPrint('Re-auth failed: ${e.code}');15 return false;16 }17}1819/// Calculate password strength score (0.0 - 1.0)20double calculatePasswordStrength(String password) {21 if (password.isEmpty) return 0.0;22 double score = 0.0;23 if (password.length >= 8) score += 0.25;24 if (password.contains(RegExp(r'[A-Z]'))) score += 0.25;25 if (password.contains(RegExp(r'[0-9]'))) score += 0.25;26 if (password.contains(RegExp(r'[!@#\$%^&*(),.?":{}|<>]'))) score += 0.25;27 return score;28}2930/// Strength label from score31String strengthLabel(double score) {32 if (score <= 0.0) return '';33 if (score <= 0.25) return 'Weak';34 if (score <= 0.5) return 'Fair';35 if (score <= 0.75) return 'Good';36 return 'Strong';37}Common mistakes when creating a Custom Reset Password Screen for Your FlutterFlow App
Why it's a problem: Not requiring current password verification before allowing the change
How to avoid: Always re-authenticate with the current password before allowing password updates. Use Firebase's reauthenticateWithCredential.
Why it's a problem: Not signing out the user after a successful password change
How to avoid: Sign out the user immediately after successful password update and redirect to the login page.
Why it's a problem: Not checking that new and confirm passwords match
How to avoid: Add a confirm password field and validate that both values match before submitting the change.
Best practices
- Require current password verification via re-authentication before any change
- Show a real-time password strength meter with color coding
- Validate minimum requirements: 8+ characters, uppercase, number
- Check that new password matches confirm password before submitting
- Sign out and redirect to login after successful password update
- Add show/hide toggles on all password fields for usability
- Show specific error messages for each validation failure
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
Build an in-app password change screen in FlutterFlow with current password verification, new password + confirm fields, a strength meter, and sign-out on success. Include the re-authentication Custom Action for Firebase Auth.
Create a form page with three password text fields (current, new, confirm), a progress bar below the new password field, and an Update Password button.
Frequently asked questions
Is this the same as the forgot password flow?
No. Forgot password (#28) sends a reset email to users who cannot log in. This page (#34) is for authenticated users who know their current password and want to change it from within the app.
Can I skip current password verification for social login users?
Social login users (Google, Apple) typically do not have a password. Hide the current password field and the change password option for users who signed up via social providers.
How do I enforce password change every 90 days?
Store a passwordChangedAt timestamp in the user document. On app load, check if more than 90 days have passed. If so, redirect to this page with a message explaining the requirement.
What if re-authentication fails?
Show 'Current password is incorrect. Please try again.' Do not reveal whether the account exists or other details. After 5 failed attempts, consider adding a cooldown.
Can I add biometric authentication instead of current password?
Yes. Use the local_auth package in a Custom Action to verify fingerprint/face ID before allowing the password change. This is a premium UX enhancement.
Can RapidDev help with secure authentication flows?
Yes. RapidDev can implement password management, biometric auth, session management, and security best practices for your FlutterFlow app.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation