I have a desktop app that will be distributed to users, and part of its code (which the user might be able to access) has to perform an API call to a third-party web service. However, this requires the API keys to be embedded into the source code, which causes some obvious security issues.
The main solution I've found while researching on the subject is to have a backend server between the user and the third-party API endpoint. So, I've been looking into Firebase for a while and it seems that this solution can be implemented using Firestore and Cloud Functions.
But, I wasn't able to find any clear examples that achieve something like this, and since I have no previous experience with Firebase or just backend programming in general, I would like to know if I'm on the right track and get more details about how to get it done, or if there are better alternatives for solving this issue. Any input is appreciated, thx.
You can use the firebase cloud functions as you mentioned. Your desktop application will be communicating with the cloud function - simple API call. Here you can find examples how to implement and deploy functions and test it locally https://firebase.google.com/docs/functions/get-started. Your cloud function will hold the API keys (it is backend so it will be secure if you dont expose it explicitly. Also the backend to backend communication is considered as secure). Finally, this cloud function will call the third party service and return some data back to the desktop app if needed. So you are on the right track, that is how the design should look like. If you need some help with cloud functions, you can also contact me directly.
Related
I want to call my firebase function HTTP API from another server -- which does not have an email and password (or any other firebase authentication method).
I want to be able to run a task like read/write in Firestore, however still protect the API. I would like to create some sort of programmatic keys like AWS does for calling their APIs. But, how to do this in firebase ? How can we generate such programmatic keys to communicate between one server to another?
It seems that the best available option that you might try - because it doesn't seem to have an official way to do it - it's by using API keys to perform the verification and security of your calls. As clarified in the official documentation Using API Keys, this is not supported by all Google applications, but Cloud Endpoints should work.
Considering that, you can use Cloud Endpoints in integration with your Cloud Functions, to provide security via API keys. You can find more information on how to achieve that in this article here.
Another alternative you may want to try, it's using a JWT token - as clarified here - as a header in your API calls. This way, you will be working with authetnication via keys - not exactly as in AWS, but it's a start - so you can secure your calls. :)
Anyway, if you don't find this useful, I would recommend you to raise a Feature Request in Google's Feature Tracker, so they can check about the possibility of further implementation in such functionality.
Let me know if the information helped you!
I'm trying to build a relatively simple application that has several different views, requires authentication, collects some user data, stores it in a database, and needs backend logic to manipulate that data and spit it back out to the user in a view.
The stack I've decided on is Vue for the frontend, with Express and Node for server side logic and Firebase for some of their services (namely auth, firestore, storage).
I haven't been able to find any examples of this stack (Vue, Express, Firebase) anywhere (I have however found Vue/Express or Vue/Firebase examples). My question is whether or not Express is obsolete here in that I can use Vue router to do my routing. Is the difference that one does the rendering server-side?
You could use Cloud Functions for Firebase as your backend and then limit your stack to Vue.js and Firebase.
From the doc:
Cloud Functions for Firebase lets you automatically run backend code
in response to events triggered by Firebase features and HTTPS
requests. Your code is stored in Google's cloud and runs in a managed
environment. There's no need to manage and scale your own servers.
For your specific need: "backend logic to manipulate that data and spit it back out to the user in a view." you have several possible approaches:
You manipulate the data with Cloud Functions (in the back end), write the results of this manipulation to the Real Time Database and setup some listeners in your Vue.js frontend (with the on() method) that will refresh your front end upon changes in the database
Use some HTTPS Cloud Functions that you call, from your Vue.js front-end, as REST API endpoints. You can use Axios for example. See the doc here.
One advantage of the first solution is that you can easily, by default, rely on the database security rules, while it would need some more extra work in the second case.
I am looking to make an app that would have its Backend on another service like AWS or some other. This app would be having many features and functionalities.
But for chat feature, I am exploring options and wondering that would I be able to integrate Firebase in my app.
I have read about Firebase Functions to add more functionality at the backend and also the installation of Firebase Admin to servers.
But still I am not convinced about their capabilities and exactly what all I can do with them.
It would be great if someone who has experience with Firebase help me out figuring if going with it is the best case for me or is there something else I should look into.
So first you can't use Firebase in combination with AWS or Azure etc. Firebase is based on Google Cloud and is the interface between the mobile client (the running app on the client's smartphone) and the backend (your Firebase project).
What I use is, for example, Firebase Cloud Messaging, to simply notify one or multiple users by trigger an HTTP Request from my own web server.
I also made some apps to store the data in FireStore or in the Realtime-Database, so that I don't have to set up a whole new infrastructure. And this is basically the goal of Firebase that you can simply start with your app, without carrying about that.
So what I've heard about Firebase is that you currently cannot install Firebase on a server of your choice and you have to use Google Cloud.
Hopefully, you can do something with my answer. If you have further questions feel free to ask them.
To avoid rewriting Firebase DB logic in various apps (iOS, Android, Web) we earlier used a service/middle layer to hold this logic. In this way the app never interacts with the DB directly.
However, in the new architecture with Firebase and Google Cloud Functions, would it be wise to route all DB calls through Cloud Functions or should this be done only selectively based on use case?
In almost all the examples I’ve seen so far, the app directly interacts with Firebase DB and the Cloud Functions are meant to only listen to certain events and used selectively. They are not meant to be a middle layer.
This approach would however lead to the need to duplicate DB logic in all apps. Can this duplication of code be avoided?
Yes. By moving certain functionality from your application code into Cloud Functions, you will only have to implement that logic once: in JavaScript. This is great for certain logic that you either don't want on the client (too big, too secret, too slow, etc).
But:
Each client will still need code to access the functionality in Cloud Functions. This can be as simple as a write through the Database SDK, but can also get quite involved.
The functionality will only be available if the user has a network connection. Unlike client-side functionality, it won't work when the user is disconnected/offline.
I am using Firebase for my new project. This will be used on both Android and IOS. As you can guess I don't want to write the same code over and over again for both OS.
I am considering to code most of the work with Javascript on the cloud functions. In order to do that I need to use HTTP Requests to call my functions since firebase doesn't support any other way to call cloud functions.
There is two question in my head about this.
Is this possible and does it makes sense?
Since I've been using HTTP Requests all the time isn't that make my app open to listening with tools like Wireshark etc if there are multiple users on the same network? (I know Firebase now supports SSL but do I have to but a domain and license for that?)
What is the best way to do it in an engineer's perspective?
You can certainly move more of your app logic into Cloud Functions. But it's not really true that the only way to invoke a Cloud Function is via HTTP. You can also push data into your database to invoke a database trigger. I gave a talk on this at Google I/O yesterday about how I made a game with all the logic in Cloud Functions. You can watch it here.