I am implementing an app using Nuxt3 and Firebase.
Currently, the authentication is using a plugin. The problem is that to define firebase tools in the plugin I have to use a public variable containing the API keys etc ... So everything looks to be visible into the client side.
I am looking for a secure way to implement auth on the server-side. How can I proceed to avoid any problem ?
Thanks for help
If you are concerned that your firebaseConfig is exposed on the client side, that's fine.
As answered in this thread, that config simply identifies it on the firebase server.
Related
I am planning to use Firebase App Check to verify that requests made to my backend services (including Firebase) will be from my app only.
I would like to know how can i validate / verify that the App Check token sent from the method FirebaseAppCheck.instance.getToken() on my backend ?
PS : my backend is in python but i am more asking about the way to verify than the code, but if you provide the code in python as an example it will be appreciated.
This may be what you're looking for firebasedocs
You can only take advantage of that verifyToken api if you're using a Node.js server, otherwise it's not available yet.
You can manually verify the token though:
https://firebase.blog/posts/2021/10/protecting-backends-with-app-check
I am building an app in VueJs and I am looking for the best way to do the authentication part, there is an API in progress as well that will need token verification for protected end points.
I would like to know if is possible to integrate Auth0 to Firebase in a way that Firebase is the main center of communication between the VueJs app and Auth0 (the same thing with the API -> Firebase -> Auth0).
I am asking this because I would like to know exactly if I can save some lines of code and performance using Firebase tools to get what I need from Auth0 without connecting directly to Auth0 API. Also I would like to use Fire Store to save the tokens I get from Auth0.
is possible to have this kind of architecture?
Here is a diagram for a better understanding of the wished result, hope is not confusing.
https://ibb.co/68tpw8L
Thank you!
These links are the closest solutions I found thru Google.
But according with the info I found you can do this but using Auth0 as my main gateway but I want all the contrary, using Firebase as the main gateway.
https://firebase.google.com/docs/auth/web/custom-auth#before-you-begin
https://auth0.com/docs/api/authentication#delegation
https://firebase.google.com/docs/web/setup
https://auth0.com/blog/developing-real-time-apps-with-firebase-and-firestore/
Auth0 has deprecated the /delegation endpoint which is used to get the token for third party vender.
https://auth0.com/docs/migrations#api-authorization-with-third-party-vendor-apis
As a workaround, use the firebase custom token authentication mechanism. https://firebase.google.com/docs/auth/admin/create-custom-tokens
https://firebase.google.com/docs/reference/js/firebase.auth.Auth.html#signinwithcustomtoken
To create a custom token, you can use the firebase function if you do not have a backend server.
The entire flow is described in the following auth0 blogs with a complete project.
https://auth0.com/blog/how-to-authenticate-firebase-and-angular-with-auth0-part-1/
https://auth0.com/blog/how-to-authenticate-firebase-and-angular-with-auth0-part-2/
I implement user signup logic in my nodejs backend server. It uses firebase for username and password signup. Below is the code used in nodejs:
var firebaseClient = require('firebase');
firebaseClient.initializeApp(config)
firebaseClient.auth(). createUserWithEmailAndPassword(req.body.email, req.body.password).catch(function(error){
console.log(error);
})
the problem for this approach is that firebase has a usage limit which is 100 accounts/IP address/hour. All users who signup in my application will go to my nodejs server first. That means firebase will think there is only one user. It will meet the usage limit very easily. I know I can put the signup process in the frontend but I don't like doing this. Because my signup logic needs to save something in my local database as well. I wand them to be in one place. Does anyone know how to handle the usage limit in my case?
The Firebase-Auth AdminSDK should not be rate limited so you can use it on your NodeJS server without any problems to handle as many user authentications as you require.
Make sure you don't use the client-side javascript SDK, which should not be used on the backend, but instead for frontend consumers like IoT, WebApps, Consumer Desktop Apps..
More info on the difference here: https://firebase.google.com/docs/admin/setup
I'm sorry if it's a duplicate question, but I haven't found any answers that answer my question.
I use firebaseConfig to initialize firebase in my app. As far as I know, there's no way to secure keys when using only client-side code so anyone may access my firebase config.
I've read about security rules. But what prevents bad guys from siging up in my app, copying my config, and starting local server, logining in and accessing database data?
I thought about authDomain, but it allows using localhost, even if I can prevent from sending requests from localhost, the app needs maintaining so it's required to use localhost from time to time.
So the questions is how to prevent from signin-up, and using firebase key on localhost.
By the way, is it secure enough to use stripe API payments without in my single page app?
I'm aware that using Twitter/Facebook Firebase authentication with React Native throws an error since obviously that's not the right env to open up a new auth window. Also, Email/Password auth should also fail since it's reliant upon LocalStorage which React Native doesn't support. Is the best way to implement any sort of Firebase authentication in React Native to create a Swift/ObjC bridge then really just use the Swift/ObjC Firebase auth library? If so, does anyone have any examples of doing this?
Update: As of Firebase 3.x, Firebase Authentication will correctly persist users in React Native apps.
Ahh, I didn't realize that React Native didn't polyfill localstorage. So if I understand your question right, email/password auth with Firebase works fine in React Native, except it is not persisted across app starts, so the user has to log in every time.
One possible solution would be to manually persist the auth token yourself. Something like:
Call authWithPassword(...) as usual.
In the onComplete handler, retrieve authData.authToken and store it locally (e.g. using AsyncStorage).
On next app start, retrieve the auth token from storage and call authWithCustomToken(authToken, ...).
We'll look into making Firebase do this automatically, but it's a bit tricky to do this without affecting other consumers of Firebase besides react. I've added this to our internal bug database though and we'll see what we can come up with. We'll update this answer when we have a solution. Thanks!