Im currently trying to build a web app using firebase and am fairly new to web development. I currently am using SvelteKit and am only allowing users to sign in via email authentication with Firebase Auth. I was curious to if there was a more efficient method of account linking than what I am currently doing
I currently have users:
Click Link Discord button
User Authorizes with Discord
I store user discord info in their user document in Firestore
The problem I see with this is that if the users change their account info on discord that it will not be reflected in my app.
Should I be storing the tokens in a cookie and calling them? would that be also bad as the tokens expire?
Related
I develop an iOS application and I'm using Node & Postgres for handling user data and authentication. I would like to add a chat feature to my app and I chose Firestore for this.
My question is how should I link the existing user data with a Firebase collection of users without re-implementing the authentication part from the ground up. Right now the authentication is based on JWTs with access and refresh tokens.
In order to link my existing users, I can add the userId already present in my database to the users collection that I will create in Firestore, but I need some kind of authentication to ensure security.
While the token for Firebase is also a JWT, it will probably have to be separate from your existing JWT, as it contains Firebase-specific information (such as the project ID), and they're signed with different keys.
After you authenticate the user with your own backend, mint a custom token for Firebase authentication with the information you want to use in Firebase/Firestore and security rules, pass that to the client, and sign them in to Firebase with it.
In my Flutter management application, I would like to disconnect a user other than the one I am logged in with.
I use Firebase as my database, and use email and a password to log in. I don't use a token
I know that in order to disconnect the user I am currently logged in with, it has to be done like this:
FirebaseAuth.instance.signOut();
I can't figure out how to disconnect another user.
In the Firebase client-side SDKs, you can only sign out the currently signed in user. There is no way to sign out a user on another device.
If you want to add user management functionality to your client-side application, you'll want to use a combination of the client-side SDK and a server-side Admin SDK to build this functionality:
Use the Admin SDK in a trusted environment (such as a server you control, or Cloud Functions) to implement the user management functionality.
Create an endpoint that clients can call that exposes this functionality, for example as a callable Cloud Function.
In that endpoint be sure to check whether the user is authorized, for example by checking their ID token to see if it has a certain UID or custom claim.
Call the custom endpoint from your client-side code.
In my app I've 2 login methods(google&facebook) and all the users appear in the Authentication part inside my firebase project, and I haven't list/collection of my users in my database.
I want to display in my app list of users with some personal data.
My question is how do i get access to the users from the Authentication part(to get all the users for example)?
Is it good approach that the users appear only in the Authentication and not inside my database?
You can't list user accounts with the Firebase Authentication client SDK. You can only do that with the Firebase Admin SDK on a backend you control.
If you think it's OK for your users to be able to know all other users, then you should store that information in your database to make it queryable directly from the client, or create some sort of API endpoint where you can invoke the Admin SDK from your app.
I am building a web and mobile app using firebase. When signing with Google, firebase auto creates a new account in the project (Auth) if one does not exist. Its fine with the mobile app.
But with the web, I just want existing users (who created accounts with mobile app) to signin and not create new accounts via web.
How do I setup firebase not to create new accounts if one does not exist?
There isn't a way to restrict social sign-in with Firebase Auth to "only sign in, not sign up".
If you have a means of detecting users that have signed in using the app at some point (e.g. by writing a value to your database in a specific location), you could check for that value when signing in via the web, and, if missing, display a screen encouraging users to install the mobile app.
I think this is what you are looking for:
Link Multiple Auth Providers to an Account Using
JavaScript
You can allow users to sign in to your app using multiple
authentication providers by linking auth provider credentials to an
existing user account. Users are identifiable by the same Firebase
user ID regardless of the authentication provider they used to sign
in. For example, a user who signed in with a password can link a
Google account and sign in with either method in the future. Or, an
anonymous user can link a Facebook account and then, later, sign in
with Facebook to continue using your app.
What's the difference between app access token and user access token?
I noticed that userData from FB is different, but I can make OpenGraph action and post on user wall or send to friends wall.
Can I use app access token in OpenGraph action?
App access_token allows you to make request to the Facebook API on behalf of an App rather than a User. This is useful, for example to:
modify the parameters of your App
create and manage test users
read your application's insights
publish content to Facebook on behalf of a user who has granted a publishing permission to your application
Now in the Open Graph area:
If your app publishes on behalf of its users and requires an access
token with no expiration time, you should use an App Access Token. An
App Access Token is signed using your app secret and will not expire;
it will be invalidated if you re-key/reset your application secret.
App Access Tokens should only be used when the posting functions are
originated directly from your servers in order to keep them private to
the app.
...
App Access Tokens are especially useful when
publishing instances of “secure Open Graph actions”, Open Graph
actions that should only be published by your app, such as
achievements and game scores. In this specific example, a user is
prevented from gaming his/her score by publishing fake
scores/achievements using a user access token.
Please read the following documents:
Login as an App
Using App Access Tokens (Open Graph)