Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
What are the benefits/drawbacks of these Auth options, as displayed on my Firebase Auth menu?
Here is some context about my app:
My app isn't security critical, hence:
I want to optimize for a quick / easy Auth experience
My app is only Mobile
I expect my users to stay logged in unless they manually sign out or are using a new / different phone.
And of course development and maintenance costs should be considered.
TL;DR Use the "additional providers" and focus on building your app rather than building authentication systems.
Firebase Authentication is a powerful and reasonably easy to use tool that gives you(r app) the ability to authenticate your users using their preferred auth mechanism (rather than your proprietary system requiring your users to remember passwords for myriad sites).
If your users already have a Google, Microsoft, Facebook, Apple etc. account, enabling the relevant subset from these "additional providers" adds very little overhead to your code but increases the chances your users will already have an account that they can use.
In addition, because e.g. Google, Microsoft, Facebook, Apple is handling authentication for you, your app becomes simpler and, unless you choose the native providers (phone, email) (which you should probably not do) you don't have to take on the burden in being diligent in managing your users' credential (e.g. email, passwords etc).
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 4 months ago.
Improve this question
So, I am trying to safely store an authentication token using Angular, processed with additional encryption on top (in front end) and put it in browser local storage (so that not anyone can de-code it).
Many people recommend this method, but I came across several opinions that say even in such case one can access your source code through your browser and get your secret key to decrypt the Auth Token (for example experienced hacker).
Many people claim that Access + Refresh tokens are the best in terms of security.
So, my question is - what are standard practices for serving/ storing authentication token? Is token encryption in local storage good implementation or should we use refresh tokens (although, they are harder to implement)?
I think you should use both a refresh and access token for maximum security...the access token should have an expiration date and should be blacklisted after rotation(when you use the refresh token to get an access token)...if you need even more security,after rotation,the user should get a new refresh and access token
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 months ago.
Improve this question
I am trying to use firebase to build an e-commerce application. In the application, there will be normal customers that can buy items from a store. A store will have its own page where there will be a list of all the products that the store is selling. However, some people own multiple stores, so I want to be able to create a way for them to have an overview of all their stores too. For example, a customer named John can buy a product from a store named 'John's Electronics store'. John is a business owner that owns 'John's Electronics' and 'John's Sporting Goods'. John has managers at each store that should be able to handle the store's account, but John should be able to grant and revoke access for the managers.
Is there a name for this sort of architecture? I am unsure of the best way to model the data and permissions. I am building this application with Firebase's Cloud Firestore. I have thought of using custom claims. Any advice on how to go about doing this would be greatly appreciated as I am a beginner with this stuff.
What you're looking for is role-based access control, and it is described in the Firebase documentation on security rules here and in this video: Implementing Authorization Models.
Here on Stack Overflow, I also recommend looking at:
What is the best way to authenticate two types of users (Student and Driver) in my android app using Firebase
Firebase Auth signIn distinction
Multiple role authentication Firebase Web
firebase security rule to allow admin users to read/write all other users creates a security breach?
I need to create 3 types of users
Firebase Auth with different user types
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 months ago.
Improve this question
If I have AppCheck enabled, how would it be possible for an attacker to make any Firebase call they want? What other vulnerabilities exist even with AppCheck enabled on a mobile app?
Firebaser here!
Please see How strong is the security provided by App Check? in our documentation for a high level description of the security offered by App Check.
App Check is only as strong as the underlying Attestation provider (such as SafetyNet/Play Integrity on Android, Device Check/App Attest on iOS, or reCAPTCHA on Web). If an attacker can bypass the security of the attestation providers (such as tricking reCAPTCHA into believing they are not a bot, or tricking SafetyNet into believing a rooted device is legitimate) they can abuse that vector to making calls against your API.
Additionally, App Check intentionally allows for limited time-bound replay (configured by the TTL on the App Check token). This allows you to use a single attestation to protect multiple API calls. However, if an attacker uses a legitimate device to obtain a valid App Check token and then somehow intercepts that token (by either rooting the device or sniffing their network traffic), they can use the token to make calls against your API until it expires. However the cost of performing this attack generally outweighs any benefits, and becomes very costly and infeasible to perform at scale.
This is all assuming App Check is not only enabled but also enforced, and you are using it in conjunction with secure user authentication and rigorous authorization logic such as well defined Firebase Security Rules.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
In my app, I use a rest API to connect to an online web service. For this, I use sensitive data like username password but also some keys. You can see the problem when someone decompiles my app and sees the sensitive data in my code. I am using Firebase in my app. My question is what the best way could be to store sensitive data. Remember that this is the same for all devices and the info would be around 5 strings. Things I have found online are: using Firebase Database with security rules (this would be ideal but I cant get it to work for only my app), using the last pixels of a picture to store strings. Specifically, I am using Salesforce as my web service.
Thanks in advance.
I would not use username/password for your app to connect to Salesforce. Use oAuth instead and then you don't need to worry about storing passwords. You can also look at encrypting the key fields using shared keys. Your Salesforce app can decrypt the data using the encryption classes OOTB.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I've just been informed by my boss that I will be taking over our company's CRM application. It is a web-based, .NET MVC, single-code-base, multi-tenant application. As the product was explained to me, it became clear that the email feature is a nightmare to maintain. I'm looking for alternatives to doing it in-house. I'll explain:
The app logs and track all forms of contact with prospective customers... phone calls, emails, etc. Thus, one feature is the ability to send emails from within the product, and then to have any reply emails also be stored in the CRM's sql database as well.
The problems with this kind of email system built into our web-based, self-hosted CRM product are abundant, but the largest of the problems is the work we need to do to prevent our IP from being black listed. It's a nightmare. There has got to be a better way.
I asked my boss if he had looked into outsourcing the email management. He said yes, but he didn't find anything that had the features we need and still allow us the control we want.
I'll explain the features we need, and I'm hoping somebody knows of a service that might work for us.
What we need...
I envision a vendor which offers a service-based product which we can consume via some sort of API or POST. When our client sends an email from within our CRM product, we would toss over the wall (in a secure manner) to the vendor the following:
Body of the email
Sender's name, email, userid & password
SMTP address of our client
Recipient's name and email
Some sort of unique id that identifies this email, so that threads and conversations can be tracked.
The service would then validate the sender's email against their SMTP server, and send the email on his behalf.
The kicker would be being able to also track reply emails, and to get them back into our CRM product. The vendor could perhaps push them to us, or, every x minutes, would could query them to see if there are any replies waiting to be sucked up.
So, does any such service exist? If so, have you used it, and what has been your experience?
MailGun and SendGrid are two transactional email service options that you might want to consider. They offer API-based email at scale.
I know that with MailGun you can use their API to validate email addresses before attempting to use them. This may help with your blacklisting problem. Check out the API here: documentation.mailgun.com/api-email-validation.html