I am building a Flutter app with Firebase Authentication. I am trying to find a way to ensure that the communication going to my backend is actually from the app I wrote and uploaded to the stores. I thought that I could be using the JWT provided as a result of the firebase login for this task to ensure that the logins can be made only from within my app.
I figured out that certain signs in email and password methods can be logged in from outside the app it was intended for. However, since google and phone sign-in require an SHA-1 key to be registered to the firebase project, I wondered if I could ensure that by restricting logins to these methods, only the trusted app can generate valid JWT and communicate with my backend.
I do not know much about security, so I would really appreciate any tips.
Related
I have the following mobile app scenario based on a Firebase backend:
Two or more mobile app instances communicate with each other through a central service (trusted). The apps are paired by exchanging a shared secret, e.g. through scanning a QR code or entering a pairing code.
Users are anonymous, ie no signup required (or possible). Essentially, it is the specific app on a specific device that is paired with a ditto counterpart (vs user-to-user).
Information exchanged is sensitive but has no intrinsic value: It must be possible to trust that information comes from a given device and it must be possible to trust that the information has reached the intended device and not an impersonating device. But it is not a critical problem that an app instance's information is lost, e.g. if the app is removed or the device is destroyed (an annoyance that requires re-pairing, but not a critical issue).
It seems Firebase Anonymous Auth is a perfect match for this scenario - but the documentation hints that it should only be used as a temporary solution until users create an actual account. Are there any drawbacks to using anonymous auth as the sole authentication method for the solution? The alternatives I see are some kind of hack using a custom token-based login or perhaps email/password auth.
Are there any drawbacks to using anonymous auth as the sole authentication method for the solution?
There isn't unless the user uninstalls the app.
The documentation hints that it should only be used as a temporary solution until users create an actual account.
Why a temporary solution? It's because anonymous accounts do not persist across application uninstalls. If a user uninstalls the app, everything that was saved locally will be deleted, including the anonymous auth token that identifies that account. Unfortunately, there is no way to reclaim that token for the user.
The alternatives I see are some kind of hack using a custom token-based login or perhaps email/password auth.
IMHO, the best approach would be to use anonymous authentication but to also let the user the possibility to link their account with email and password or any other providers, like Google, Facebook, Instagram, and so on.
I am trying Firebase to authenticate users for a website that was initially built on Flask (using the flask login workflow with a postgres DB). However, I am not sure that I have a correct understanding of what would be considered best practices when using Firebase.
I read through this article, which I think has led me down a suboptimal path when it comes to actually managing users.
My questions are:
Should all the Firebase authentication be handled in the javascript?
If so, should I use the request.headers on the backend to verify the identity of the user?
Any tutorials (aside from the Firenotes one, which I am working through) much appreciated.
Should all the Firebase authentication be handled in the javascript?
No, it doesn't have to be JavaScript. But in general, you'll find that most apps using one of the existing Firebase Authentication providers handle the sign-in of the user in their client-side code, with calls to the authentication server.
If so, should I use the request.headers on the backend to verify the identity of the user?
When calling REST APIs Firebase itself passes the ID token of the authenticated user in the Authorization header, so that's a valid approach indeed. On the server you can then verify that the ID token is valid, and decide what data this user has access to.
I developed two different Flutter applications. An Admin Version and another Client Version. I would like to use the same login (auth) and access to Storage for both Apps.
It's definitely possible to access the same Firebase project from two different apps. In fact, when these apps are locally part of the same "application", that is actually an intended use-case.
A few things to keep in mind though:
Firebase Authentication does not have the concept of an administrator user. It "merely" authenticates the user, allowing them to sign in with their credentials. Any administrator logic is specific to your application, hence often referred to as an application administrator. You'll typically want to flag application administrators, for example by setting a custom claim on their accounts.
Not all functionality that the application administrator may need is going to be available in Firebase's client-side SDKs. A common scenario is that the administrator should be able to create accounts for other users, where the client-side Firebase Authentication SDKs don't support this logic. For some more information on this, and how to solve it, see Firebase kicks out current user and my answer with many links here How to create firebase admin user for authentication in java. In a nutshell: you'll have to use the Firebase Admin SDK, in a trusted environment, for some of these operations.
You then secure access to Cloud Storage by writing security rules. For some examples of securing access based on the user, see the documentation on securing user data.
I need to identify a similar authentication in Google Cloud Platform like Google Firebase offers. I want to authenticate users by E-Mail and password.
I developed a web app that runs in GCP AppEngine. This web app authenticates users by their E-Mail and password. But I wont host a custom OAuth server. Is there a OAuth server or similar authentication service provided by GCP too?
Or should I use instead Google Firebase Authentication?
You can of course roll your own authentication, but it's also possible to use Firebase Authentication in combination with your own App Engine backend. Have the users sign in with Firebase Authentication in the client-side app, send the ID token over a secure connection from the client to your App Engine server, and then verify the ID token in your App Engine code.
You can create a Firebase project linked directly to your GCP project (just find your GCP project in the Firebase project creation dialog).
Depending on the required language, they have a couple of tutorials with explanations on how Firebase Auth and e.g. App Engine can work together with sample codes. See:
https://cloud.google.com/appengine/docs/standard/python/authenticating-users-firebase-appengine
I'm creating an app that will run on the Google Assistant which should use firebase authentication to authenticate the user and then perform some user specific stuff.
It isn't currently possible for a user's Assistant account to automatically be linked to a Firebase Authentication account. You can create a basic OAuth2 server that uses Firebase Authentication to identify them as part of the Assistant Account Linking procedure, but this isn't done automatically. Once they have done the account linking, your Action will get an auth token (that your OAuth2 server has issued) and can use this to get a valid token to work with Firebase on their behalf.
Google doesn't typically announce future plans, however there have been a number of requests for similar features.