I have to build an API using Firebase, and need some help with design choices. I want to be able to sell the API to users, who can then use it to build/integrate their own applications. Users will have both read and write privileges.
General information:
I'm using Firestore db with email & password authentication.
Only specifically assigned users may use the API
Each user may only access specific documents concerning them.
I've noticed 3 different ways in which an API can be provided to a user of my Firestore db:
https triggered cloud functions (https://firebase.google.com/docs/functions/http-events)
Using the SDK (https://firebase.google.com/docs/firestore/client/libraries)
Using the REST API provided by Firbase (https://firebase.google.com/docs/firestore/use-rest-api)
API requirements:
Used only by users that I specifically grant access to (email & password login)
I want to limit these users to only a couple of read/write tasks that they're able to perform.
It needs to be safe.
My current approach is:
Use the 3rd option - the REST API provided by Firebase (thereby giving users the projectId and API key)
Add authorised users to the list of authorised accounts on Firbase, and limit access using custom claims and database rules.
My questions:
It seems that https functions (option 1) are normally used in API building. Are options 2 and 3 unsafe?
What are the normal use cases of the 3 options? When should each be used and when should each be avoided?
Are there any obvious flaws in my choice of option 3?
Any other useful information about making these design decisions will be much appreciated.
Thank you in advance
TL;DL: It depends on what you want to do with this API and how many and what type of devices/users will be calling it.
Before answering your questions I will list below the advantages of each approach:
Cloud Functions:
Cloud Function is a Functions as a Service Solution, so it's also a hosting service for your API, therefore you won't have to provision, manage, or upgrade servers and the API will automatically scale based on the load. Also this option takes into account the pros of SDKs and client libraries, since your code will have to use it to connect to Firestore anyway.
SDKs and client libraries:
This is the easiest and more optimized way to reach Firestore, however, environments where running a native library is not possible such as IOT devices will be left out of your solution, so consider this while implementing this option.
Cloud Firestore REST API:
Every device properly authorized to access Firestore will be able to do so.
NOTE: For both SDK and REST API you will need to consider hosting of your API, either on Cloud Functions, as mentioned, App Engine Standard, App Engine Flex or a Compute Engine Server Instance.
All that being said, it's up to you and your API's usage and requirements to say which option is best considering the points above.
As per security, I'd say that all option can be secure if firebase rules and firebase auth are set correctly.
Related
I'm developing an android app with firebase as a backend and I heard a word named Admin SDK. I had searched for it and found it is used to manage data.
But I have a doubt that firebase provides a console webpage (console.firebase.google.com) to manage data, but why there is a separate Admin SDK?
Can someOne please explain...
The firebase admin SDK provides a simple and easy way to modify firebase settings and data using API calls.
For example, you might ask: why should you even have a regular SDK to store data? After all, you can store and save data directly from the web interface. It is, however, simply not secure or practical to have users update their own data each time using the console.
Similarly, the admin SDK is just like the regular SDK but with administrator permissions. For example, it allows you to bypass the rules set up using your firestore rules. The Firebase admin SDK is meant to be used on your backend - so you know it is running trusted software. You know that it will act the way you expect it to, unlike code running client-side that can't be trusted.
For example, let's say that you want to be able to delete a user's post if certain conditions are met. The user will make the request to your server, and it will check if the conditions are met, and then delete the post using its admin privilages. Sure you could technically automate this using firestorm rules, but those can be quite cumbersome and might not work in more complicated examples.
You can also even use it to integrate with other applications like connecting your app to a moderation tool or a curse detector that can't or shouldn't run on the client's device.
Is your question is why does Admin SDK exists?
There are several administrative tasks such as deleting users, listing collections and many more which the client cannot and should not be able to do.
Firebase Admin SDK has admin access to your Firebase project's resources.
It does not obey any security rules and can read/write any of your database, storage bucket..
That is why you must use Admin SDK in a server (or cloud function only). Although I feel Firebase Admin SDK is more useful if you use your own servers and authentication method. If you are using a custom server then:
It can be used to generate custom token so you can authenticate users using your own method (maybe legacy auth system) but still use Firebase Authentication to handle the auth tokens thereafter.
If you use your own database (and not any from Firebase), the Admin SDK can verify the ID Token sent by client and get identity of that user. Thereafter it's could be a simple if-else statement for you to decide if the user has access to the request resource or not.
If I have multiple apps with Firebase (different types and kinds) but want to be able to have 1 user base for all of them (1 account for all apps, even if they only use 1) how would I do this? I was thinking either 1. cloud function (every time someone signs up, add them as a user in the other apps) or 2. A separate project for Auth only and configure both of them in the app, but that might mean requests to firestore, storage, and functions aren’t authorized. NOTE: I'm willing to use GCP products separate from firebase to accomplish this.
If the apps are all part of the same suite, you can add them to a single Firebase project. This is by far the easiest way to do this, but there is a hard limit on how many apps you can have in a project in this way (according to the FAQ, this is 30 at the moment).
If the apps are not all part of the same suite, or you need more than the limit, your only option is to use custom authentication. This means you'll create a custom authentication provider that takes the user's credentials, verifies them, and then creates a UID and token for that user to the client which then uses it to sign in to Firebase.
In the back-end you could possible use a single Firebase project for then generating all these users, although I'll admit it's been a few years since I did that.
I am currently creating a marketplace mobile application from scratch and I'm using React Native for the front-end part and Firebase for the backend (using Firebase and Firestore).
I am wondering wether :
I should create a RESTful API using cloud functions and express to create API endpoints (that would connect to firebase and firestore) that I'd call from my redux actions in my React Native app (using redux thunk).
or, I should call firebase and firestore directly from redux actions.
I see couple pros and cons for each method.
Restful API pros :
Safer as I can check and manipulate submitted data more easily
Custom API reply (I can manipulate the return data)
Restful API cons :
Probably slower as I would have to call an API endpoint that will then call firebase and/or firestore.
Won't be as easy to set listeners on firestore data
What do you think about it ?
Which option should I choose knowing that I predict that the app will get a few thousand users daily. I want it to be as fast and safe as possible and be able to set listeners for notifications purposes.
In my opinion you should mix them, if you have to manage users, products or etc. Firebase produces client and admin sdk that has different roles. If you haven't need manage any data of products or users or etc. you can simply use client sdk.
My advise is you can use admin sdk on API (server-side) and feel free to use client sdk on your clients.
Use as managements on API, listening data, realtime chat etc. via client sdk.
You can check admin and client sdk. Also npm packages for React Native here.
Mixing will be of help, you can try:
Listen for small amounts of data using the client SDK
Write and sort data using the cloud functions
In my experience, writing to a firebase database that uses ordered ids (in my case) leads to some huge problems in the long run. I lost a good chunk of data when my app accidentally wrote to a root index instead of a child index when the app was resumed from inactivity because the android system cleared the RAM.
Also, for notification, use Firebase Cloud Messaging.
I read firebase is referred to as backend as a service, but in its documentation it supports Nodejs. Java, Python, Golang, etc along with Web, Android, and IOS
My question is why do we need backend if firebase itself is a backend as a service.
Incase your requirements exceed what firebase offers out of the box, firebase will still give you the ability to manage your data in programmatically.
For most use cases, you won't need your own backend. But in some cases you will for example need a custom sign-in flow, or perhaps a custom dashboard to manage firebase users. In those cases firebase gives you the flexibility to do so using the firebase admin SDK, which I believe is being referred to when they list 'Nodejs. Java, Python, Golang' as supported languages.
Checkout the firebase admin documentation here to understand what you can accomplish using it. Depending on your needs, you might not need it at all.
You may be interested to interact, from some backends that you own/control (e.g. a server in your premises), with some Firebase services hosted in the cloud in the Firebase infrastructure.
This can be interesting, for example, to integrate some of your legacy applications with Firebase.
You’ll find here and here two videos from Firebase that show some real life examples.
I want to call my firebase function HTTP API from another server -- which does not have an email and password (or any other firebase authentication method).
I want to be able to run a task like read/write in Firestore, however still protect the API. I would like to create some sort of programmatic keys like AWS does for calling their APIs. But, how to do this in firebase ? How can we generate such programmatic keys to communicate between one server to another?
It seems that the best available option that you might try - because it doesn't seem to have an official way to do it - it's by using API keys to perform the verification and security of your calls. As clarified in the official documentation Using API Keys, this is not supported by all Google applications, but Cloud Endpoints should work.
Considering that, you can use Cloud Endpoints in integration with your Cloud Functions, to provide security via API keys. You can find more information on how to achieve that in this article here.
Another alternative you may want to try, it's using a JWT token - as clarified here - as a header in your API calls. This way, you will be working with authetnication via keys - not exactly as in AWS, but it's a start - so you can secure your calls. :)
Anyway, if you don't find this useful, I would recommend you to raise a Feature Request in Google's Feature Tracker, so they can check about the possibility of further implementation in such functionality.
Let me know if the information helped you!