I have been creating a flutter app and am using firebase for authentication.
Is it possible and best practice to use the firebase only for the authentication and use REST APIs via http package for the CRUD operations instead of using cloud firestore?
Yes, it sure is possible, and common. If you want to send the user credentials to your backend for verification, you should use the Firebase Admin SDK to verify a user ID token.
Related
Edited
I am building a spa app to make some administrative tasks on the app/firebase easier. I don't have a separate backend for this app so I use firebase cloud functions directly from the spa client. I am also not using Admin Sdk , just Http triggers. I am using functions.https.onCall on functions invoked by regular app users. Since i didn't want to mix up regular users with the admin login , I implemented a separate login for the spa app. Since the admin is already logged in , I am looking for some kind of JWT key / API key based authentication to secure firebase functions implemented for these tasks.
One possible solution , as Frank van Puffelen mentioned in his answer , is to add firebase auth , store the UIDs of the admin users and check if the request came from them using getIdToken() in the cloud function. Is this the best practice or is there an alternate to approach this.
Any input is appreciated.
The common approaches here are to:
Either keep a list of the UIDs of the admin users in a place that your Cloud Function can access, for example in the code itself or (more likely) in a cloud-hosted database.
Or add a custom claim to the ID token of admin users.
In either case, your Cloud Functions code can then ensure the user is authorized to call the end point.
I was wondering how to to secure firebase auth. I plan on using firebase JUST for user authentication (not using firestore or realtime db). Since the API key is exposed on the client, my fear is that a malicious user can find the key and start using it inappropriately. So far I've done the following to try to improve security:
Limit key use to a specific domain
Restrict the key to only be able to use "Identity Toolkit API"
Is there anything else I should do here?
My application should be the only one able to use my credentials to access the Firebase API.
For any app where you access a cloud based API directly from within the client-side application code, that is going to be a myth. The closest you can get within Firebase these days is with App Check, but that isn't available for Authentication calls at the moment.
Part of the reason for this is that the authentication API is quite well protected on its own already, and most abuse will actually not affect you as a developer very much. E.g. (ignoring phone auth) there is no charge for account creation, sign in, and any other operations.
I highly recommend checking:
Is it safe to expose Firebase apiKey to the public?
The documentation on API keys in Firebase.
The documentation on Firebase's security rules, which is how you can protect the Firestore and Realtime databases, and files in Cloud Storage.
The documentation on Firebase App Check, which reduces abuse for Realtime Database, Cloud Storage, Cloud Functions, and Firestore at the moment.
More of these previous questions on allowing only you app to access Firebase
So I'm trying to build an http endpoint using a Cloud function. This cloud function is only invoked after the user signs in. So I can pass the user token and verify it on the server side. I understand how to do this.
I also have security rules on my Firestore collections with authorization rules set up using request.auth.uid. This also just works if I use the firebase web sdk.
But my question is - how do I use the same authorization rules via cloud functions? I don't want to rewrite my auth logic separately for the http endpoint.
Security rules only apply to access from web and mobile SDKs. It does not apply to code using any of the server SDKs, including the Firebase Admin SDK and anything you would use with Cloud Functions. You will have to apply your own logic to check the validity of data before it's added to Firestore. The same is true for Realtime Database and Cloud Storage security rules.
As you use the admin sdk in your functions, the check for the auth looks a bit different. Just watch this video from The Net Ninja. He is explaining how to do this. Just use the generated token instead what’s been used in the video.
I can't figure out how to authenticate my IoT appliance to call Google Cloud App Engine APIs I've written using Firebase Auth.
We currently do this with our browser app using Firebase Auth tokens. We use the username and password to issue a token and then use that token during the life of the session to access APIs from our browser app.
This doesn't translate well to our IoT appliance as there is no username/password - so we are thinking we will need to use Firebase custom tokens. Unfortunately these tokens expire every hour - so we will need to use the Firebase Auth APIs to renew the tokens automatically - we think this is the way this works based on documentation.
A constraint we have is that this appliance doesn't have any user experience but instead needs to be able to restart at any time and reestablish it's authenticity with the server by retrieving a fresh token.
I'm having a hard time finding an example of how to do this - and I'm hoping someone can give me a simple example or some clear direction on how to keep a authentication token current while the appliance is on and establish a new one if it needs to restart.
Thanks!
Have you looked at Cloud IoT Core as an option? It handles the authentication piece for you without user/pass (uses JWT), and is designed for IoT. A quickie Cloud Function can bring your telemetry data into Firebase/Firestore very easily.
Another option would be to create a service account with permissions to write to AppEngine. Check out this link: https://cloud.google.com/docs/authentication/getting-started for some documentation on how to authenticate using a service account.
I am trying to create a REST API for my app using Firebase Cloud Functions. I know how to use Admin SDK in Cloud Functions. It does have API to createUser. My front end app lets users sign in using Google and Facebook but I am not sure how to put it all together.
My app has successfully implemented Sign in with Google and Sign in with Facebook but how and what data do I transfer over to Cloud Functions (or any REST API Server for that matter) so that it could create a user in Firebase with appropriate provider.
Update for more explanation
I am creating an app for iOS and Android with some sort of cloud based backend. Right now I am experimenting with Firebase but I do not intend to tightly couple my apps to Firebase and hence do not want to pull Firebase-iOS and Firebase-Android SDKs into my app code. I want the ability and freedom to switch my backend over to AWS or Azure without changing frontend code.
The one (and only?) way is to create a server that will expose REST API endpoints and do the work on my behalf that usually SDK does. To achieve this, I am using Cloud Functions but that shouldn't matter as long as I have API to talk to actual cloud.
After putting that explanation, now my question is how do I let my users login to app using external providers like Google and Facebook and still achieve what I am trying to do. When I let users sign in with providers, I do not have their password to send to backend to create a new email/password user.
The sample code that best illustrates what you want to do here on GitHub.
It shows how to create an Express app that handles HTTP request pages. Learn more about Express to configure it for wildcards are needed.
It accepts and checks authentication tokens in HTTP requests from Firebase Authentication to validate the end user responsible for the request.