I was wondering since I don't find the answer online, where or "how" is the firebase user session (using auth()) stocked in React Native ?
I know it's open source but I can't find what I want. If possible I would like to know the location/way for both ios and android.
In browser based environments, Firebase Authentication stores the user credentials in local storage, and restores them from there when the page reloads.
In native Android environments, Firebase Authentication stores the user credentials in the shared preferences of the app, and restore them from there when the app reloads.
In native iOS environments, Firebase Authentication stores the user credentials in the user's keychain, and restore them from there when the app reloads.
If you need to control the storage of the user credentials in a JavaScript environment, check the documentation on auth state persistence to learn about your options.
Related
I am trying out Firebase / Firestore. When I run the command-line firebase login in a Linux terminal, I am redirected to the typical Google login web-site but with an additional Firebase-logo. After login on that web-site, I have to enable various features and permissions for Firebase to access my Google account.
Then the firebase program on my local Linux PC knows that I have logged in to my Google account. Even after I restart the computer, the firebase program is apparently still logged in to my Google account.
How does this work behind the scenes? Is my Google account password stored on my local PC somewhere, since firebase remains logged in to the account? Doesn't that cause a security risk?
Thanks!
No, passwords are never stored like that. That would be incredibly unsafe. The CLI is storing a special token that gives access to parts of the account that you authorized in the web browser. That token is valid until something invalidates it, or you sign out by running firebase logout. It's similar to the way most auth systems work that allow an individual to stay signed in for long periods of time without reauthenticating.
If you want to see exactly what the CLI is doing, it's all open source.
I want to develop a Web App which runs on Firebase where I log in (once) using the providing google sign in.
The App should use the google APIs to display a variety of informations (email, some special calendars etc).
The idea is to have this Web App run on my tablet 24/7 and never touch it but according to this the authentication token will expire after 24 hours which means I need to login every 24 hours.
What is the best way to have a "persistent" login which only expires when the device (or browser) is shut down?
You're looking at documentation for IoT core. Unless you're using IoT core, that documentation won't apply to you
In regular web apps that use the Firebase JavaScript/Web SDK, the ID tokens is automatically refreshed every hour, and credentials are persisted by the SDK and restored when the app restarts.
In practice this means that the user can sign in once, and stay signed in until you either sign them out explicitly, or until a compelling event forces them to reauthenticate (something like their password being changed, or you disabling their account). Unless something like that happens, you can always get the currently signed in user by using an auth state listener.
I am building a Flutter app with Firebase Authentication. I am trying to find a way to ensure that the communication going to my backend is actually from the app I wrote and uploaded to the stores. I thought that I could be using the JWT provided as a result of the firebase login for this task to ensure that the logins can be made only from within my app.
I figured out that certain signs in email and password methods can be logged in from outside the app it was intended for. However, since google and phone sign-in require an SHA-1 key to be registered to the firebase project, I wondered if I could ensure that by restricting logins to these methods, only the trusted app can generate valid JWT and communicate with my backend.
I do not know much about security, so I would really appreciate any tips.
I developed two different Flutter applications. An Admin Version and another Client Version. I would like to use the same login (auth) and access to Storage for both Apps.
It's definitely possible to access the same Firebase project from two different apps. In fact, when these apps are locally part of the same "application", that is actually an intended use-case.
A few things to keep in mind though:
Firebase Authentication does not have the concept of an administrator user. It "merely" authenticates the user, allowing them to sign in with their credentials. Any administrator logic is specific to your application, hence often referred to as an application administrator. You'll typically want to flag application administrators, for example by setting a custom claim on their accounts.
Not all functionality that the application administrator may need is going to be available in Firebase's client-side SDKs. A common scenario is that the administrator should be able to create accounts for other users, where the client-side Firebase Authentication SDKs don't support this logic. For some more information on this, and how to solve it, see Firebase kicks out current user and my answer with many links here How to create firebase admin user for authentication in java. In a nutshell: you'll have to use the Firebase Admin SDK, in a trusted environment, for some of these operations.
You then secure access to Cloud Storage by writing security rules. For some examples of securing access based on the user, see the documentation on securing user data.
Does firebase auth still keep the user in offline mode of a progressive web app ?
How does firebase auth works if the app is in offline ? Would like to know the two scenario.
User want to login for the first time during the app is in offline (app is using pouchDB & CouchDB for sync)
User already signed in, but app became offline. Does this mode even still work with firebase auth ?
Regards,
Sowmyan
Authenticating the user requires an active connection. There is no way for Firebase to authenticate your users without connecting to its servers.
Once the user is authenticated, the app will continue working when the user goes offline. Firebase Database operations will be reading from the local cache and writing to a queue. Once the connection is restored, the user's authentication token is (if needed) refreshed and the writes are sent to the server.