So here's situation,
The firebase auth is very good.
But in some area for some reason the host of https://www.googleapis.com are not accessible from app side.
So I was think about a way to proxy the request to https://www.googleapis.com in may iOS app to My Server, and My Server will transfer the auth request to https://www.googleapis.com on server sider.
Question
Is there a way to config the host in firebase API ? Or is this a good way to do it?
Related
I have a service API running behind Firebase Hosting Rewrite Rule that will benefit from CDN caching as its API response rarely changes, but it will need to be protected from the public. Currently, the server is doing auth check for every request coming in using Firebase Auth's verifyIdtoken to see if it should accept incoming request or not.
I was wondering if Firebase Hosting's global CDN supports any kinds of authentication, such that auth check can be done at CDN level. Something similar to GCP Endpoint Auth, or but tailored for Firebase.
As a mitigation for now, the server is setting cache related HTTP headers for requestors to cache the response, however, this is per-user cache, and every new user's request will continue to reach the server.
All files on Firebase Hosting are accessible by anyone who knows their URL, so should only be used for hosting public files. There is no security mechanism in place.
Firebase messaging error in http server, but works well in https server.
; FirebaseError: Messaging: The required permissions were not granted and blocked instead. (messaging/permission-blocked).
Do we need https server to send the notification from the server?
The Firebase Cloud Messaging SDK is supported only in pages served
over HTTPS. This is due to its use of service workers, which are
available only on HTTPS sites.
More Information here
Good luck!
I have a web SPA that currently connects to a Rails backend, authentication handled via auth0. We have a new server that has some endpoints that the SPA needs to connect to. What is an elegant way of authenticating against both servers considering I have auth0 implemented in the SPA and the legacy server already? Is there some way to pass the authenticated token back to the new server from the legacy server? Or do I just authenticate against both servers when logging in as a user on the SPA? The user db sits in a separate db, shared by both servers.
If the credentials are stored in your database, then use an Auth0 Custom DB Connection to authenticate against Auth0 from your SPA. Auth0 has quickstart samples for all the popular SPA frameworks / libraries (angular 1.x, 2+, React.js etc). You authenticate against Auth0 (not the legacy or new server). As a result, you receive a (JWT) ID Token and a (JWT) Access Token. It is the Access Token you send from your SPA to each of of your Servers for the purpose of making Authorized requests. Your Server (legacy and new) should be secured to verify the JWT Access Token as valid and optionally check the scope attributes match the request endpoint. That's all that is required. The Auth0 documentation covers all this, and there are samples too that demonstrate how to set this up.
I have an application where I need the server side code to create and delete repositories on my OWN GitHub account. GitHub API's OAuth authentication only works if I sign into GitHub on the client side. I need something that would allow me to store the username and password (or some sort of key) on the server side, therefore everything can work without any UI interaction whatsoever.
Welcome to Stack Overflow. You can do the authentication from server to server, quoting from the github api:
OAuth2 Key/Secret
curl "https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy"
This should only be used in server to server scenarios. Don't leak
your OAuth application's client secret to your users.
https://developer.github.com/v3/#authentication
The client id and secret can be either Meteor settings, or environment variables on the server (Don't put them in your code!!). As long as your server is secure, it should be safe.
I am playing around with Amazon Gateway API and am struggling to get my head around security.
Obviosuly the API I create cannot be accessed by anyone and needs to be secured. Amazon suggest using API keys or IAM roles. I have a few questions:
How can i authenticate my client requests so that my app and only my app can make use of the API?
How does AWS determine a role for an incoming request?
If I choose API key approach, how does it work?
Thanks!
How can i authenticate my client requests so that my app and only my app can make use of the API?
If your backend is a Lambda function, you can grant permission to API Gateway to access it.
If your backend is a HTTP backend, you will have to find out the authenticate strategy at your HTTP backend side.
How does AWS determine a role for an incoming request?
If your API is required IAM auth, the incoming request has been signed with AWS sigV4 algorithm. AWS is able to determine the permission of the credential is used to sign the request.
If I choose API key approach, how does it work?
All the incoming requests have to contain the API key in the header. If the key is allowed to access the API, the request will be processed, otherwise it will return 403.