How does firebase distinguish between websites for firebase analytics? - firebase

I know that using firebase in a web app requires putting some public config keys in the front end code and that its safe to do so. But I am confused about how firebase would prevent malicious people from just copying those config keys and pasting them in their own sites and initializing the firebase analytics sdk there to try to spoil my analytics data.
In firebase auth, we also give some whitelisted domains and authentication services are only allowed on those domains by firebase. So even if we try to access those auth services from another domain, firebase won't allow it.
So how will firebase differentiate in case of analytics? If the same config keys are put in webpages on two sites abc.com and xyz.com and abc.com is my actual site whose traffic is supposed to be tracked, how will firebase know and discard data from the bad website xyz.com if the person who created xyz just copied my config from my front end code and initialized firebase.analytics() on their site to spoil my analytics?

Related

How to stay logged in cross domain firebase?

I'm developing my project and here is a deal: I'm having firebase auth email and password based. Then I've created landing for users and what I'm trying is to let users signup from landing which is on different domain and stayed logged in on my main app.
I've looked up firebase docs but didn't find any snippets. Basically I think there should be auth provider config, but again there is no info. Maybe you've faced such an issue, how you've solved it?
You cannot signup users on one domain and allow them to login into a different domain with those signup credentials. Firebase doesn't allow that. Each domain has its own auth setup that doesn't coincide with another domain's authentication. You can use sub domains if you want. ->
https://dev.to/johncarroll/how-to-share-firebase-authentication-across-subdomains-1ka8
You will have to create cloud functions but to achieve this even on subdomains.
Gist of that article.
Getting Firebase Authentication to work across subdomains is not super
straightforward, but it is doable without that much work.
Unfortunately, you need to be familiar with a number of concepts such
as CORS, cookies, JWTs, Firebase Authentication itself, etc.
Might as well develop your own Nodejs server instead of using hacks and workarounds like in the article.

Static website authentication to firebase backend

Let's say I own a fully static website on https://example.com/. Just HTML, CSS and client side JS files.
Next I wanted to implement a basic commenting system allowing authenticated guests to leave comments. My plan is to use a POST form on the site and implement the commenting backend on Firebase with a Firestore database.
Authentication wise, I suppose it needs to deal with two scenarios:
Client authentication. The site itself needs to be authenticated by the firebase backend so that only POST requests originated from the site will be accepted. What should I do? There must be no shared secret between the site and firebase because the site is static and everything in there can be accessed by visitors. Perhaps there is some kind of host based auth? Appreciated if you can point me in the right direction.
User authentication. Guests need to be authenticated before they can post comments; Use OAuth should be fine provided the backend can deal with Facebook, Github etc.

Firebase hosting multi site, 1 domain, 2 sub domains

I am building a website that has both an app and a control panel. I want the app to live at someurl.com and the control panel to be at controlpanel.someurl.com.
I have the someurl.com app setup, however the sub domain has confused me. From what I gather, the subdomain needs to be setup using the host of “controlpanel” and that it should point at a URL (e.g 115.110.145). My question is, what url should the subdomain point at, as firebase only gives me one URL.
All domains that are connected to Firebase Hosting utilize the same anycast IP addresses -- the Firebase Hosting serving infrastructure looks at the hostname of incoming requests to match to verified domains.
I'd recommend just following the steps in the docs and would reach out to Firebase support if you get stuck in a specific place.

concerns about required A records for setting up Firebase Dynamic Links with a custom subdomain

In setting up our own subdomain to handle Firebase Dynamic Links using these docs, the wizard says to put the A records at example.com in our DNS. I'm getting pushback from our network administrators who are wary of creating an A record at the root of our domain, which is a large e-commerce web site.
A couple of concerns/questions about this:
The IP addresses required (151.101.1.195 and 151.101.65.195) point to non-Google servers (looks like Fastly), which is a bit alarming - it seems strange that Google would outsource their deep link hosting.
We don't want all of our e-commerce traffic (coming through example.com) to be subject to these A records. Is it possible to put the A records at link.example.com instead?
The Firebase documentation on using a custom domain for dynamic links has this note:
To use a custom domain for Dynamic Links, the domain must point to Firebase Hosting. If you have a domain you want to use with Dynamic Links and the domain points to a different host, you can either move to Firebase Hosting or create a subdomain hosted by Firebase, which you can use for Dynamic Links.
So you can indeed use a subdomain for the dynamic links. In that case, just set up the subdomain in Firebase hosting. You'll need the same TXT record as normal, to prove that you have access to the domain, but then just map the subdomain (e.g. links) for the A record.
Here is the answer I received from Firebase support about these my two concerns/questions:
Regarding Fastly, Firebase uses this subprocessor to deliver content and managed services on Firebase Hosting. For more details you could check the list of Subprocessors used by Firebase on this doc.
It's possible to use a subdomain as your Firebase project's FDL domain. You'd need to create a subdomain (link.example.com) on your domain's DNS provider and connect it to Firebase Hosting. You could check out this guide for more details.

Firebase authentication persistence across two web apps

I am building a platform which consists of a public facing 'website' and a PWA which will be on a subdomain on the same server.
Both web apps use the same firebase project and I was wondering if it is possible to share authentication status between the two. i.e. can I redirect a user to the PWA side without them having to login again?
Both apps are written with React, Redux and Node
Store the authentication token in a cookie with the following domain:
.mydomain.com
where mydomain.com is the public site. Now the PWA can access this cookie as a subdomain of mydomain.com.
Subdomains can not access localstorage of the main domain or other subdomains, but can access cookies in the main domain.
If Firebase automatically writes to localstorage, write your own code to delete it from there (or leave it there), and add it as a cookie.
I don't think you need to put the . in front of the domain for your cookie anymore, but you used to and I still do.

Resources