Firebase functions: Custom auth endpoint - firebase

I want to login using custom auth endpoint in firebase admin.
For example using email and password.
http://firebasefunctionsaddres.com/loginUsingEmail
So from client I want to make request with email and password(and maybe some other info) and on firebase functions side (maybe save some data to firestore) and response with auth token.
Is it possible?

I personally didn't use the auth token, because I found an easier approach by using Firestore and just storing the user information there. It is a very simple database to use. No queries, it works just like a JavaScript Object!! And encrypt/hash the password of the user by using something like MD5, or SHA 256 before storing it!!
Here is a link to the JavaScript Firestore Documentation that'll teach you to store and retrieve data (it works super fast): Firestore JavaScript Docs
Also in this way, you have to load less Firebase Resources and all user data is stored in one place! I really like the simplicity of Google Firestore! (In my opinion, soooo much better than PHP and MySQL!)

Related

how do I wait for a response from FireBase Kotlin Android Studio

Screenshot-1
Screenshot-2
I am trying to check in the database whether there is a user with such a login or not. If it exists, then display an error.How can I get a response from the database before I create a user
That's not an efficient way of handling authentication. The best option that you have in my opinion, would be to implement Firebase Authentication. Once you do that, you can simply check if the user is authenticated or not. How? By simply checking if the FirebaseUser object is null or not. Please also note that this operation is not asynchronous.
If you however need to get something from the Realtime Database, then please note that that is indeed an asynchronous operation. Since you're using Kotlin, the following article will help for sure:
How to read data from Firebase Realtime Database using get()?
Edit:
If you want to check if a user already exists, then please check my answer from the following post:
Checking if a particular value exists in the Firebase database
Besides that, never store credentials in plain text. I highly recommend you implement Firebase Authentication so you can secure your database using Firebase Security Rules. If you want to keep your own authentication mechanism, please see the official document regarding that:
https://firebase.google.com/docs/auth/android/custom-auth

Firebase-UI Web vs. Building Custom JS using Web SDK

Client Framework: Vuejs
Backend DB: Firebase Firestore
Auth system: Firebase Auth
__________________________
I'm building a Vue application that uses Firebase Auth. In the past, most developers created custom form that collects user info (name, email, password, phone #, and etc.) using HTML Input field to gather Email and password, and then, from the client side we could perform TWO important actions in one sequence to give a single step to user.
USE Auth SDK to Call firebase auth method to create new user by passing email and password to the method as parameters.
Upon completion of this action, we then grab the UID that is returned by Firebase, and using Firestore SDK, we then make the next call to create a NEW User in DB, using the name,email, Phone # and the UID.
This flow works great which provides a smooth one step User Flow and we can provide proper error message and navigation.
Then came along and Firebase Team offered FirebaseUI to use as replacement to our custom form and sequence. The FirebaseUI has some strange behaviors related to how to "Sign up" new user and also lacks flexibility and a modern look for form entry.
Based on my understanding, the main reason Google wants us to use it:
A) It provides a more secure way to collect email and password and send it to Firebase Auth.
B) It provides easy way to use multiple providers.
My question is, Is it really unsecured to build our own form as I explained earlier and not bother with Firebase UI, when I'm only using email/password auth and passing it via HTTPS?
Please clarify, is it safe just build my own custom form or SHOULD I use FirebaseUI?
FirebaseUI doesn't really offer anything special in terms of security. Use it if you like the way it works. If it doesn't work the way you want, fork the source code and make it work the way you want. If you want something completely different, feel free to implement it yourself.
The point of FirebaseUI isn't to ensure security. It's to be convenient. You are ultimately responsible for security, so be sure to audit any code you use in order to ensure it meets your needs.

How can I send the parameter with the firestore get method?

My project is creating a website using firebase, but it is using the internal authen micro service instead of Firebase authen.
Every time the user logs in, the internal authen service will generate a token (I call it client_id), and send it to the client.
This token is also stored in the user collection.
Please help me how to write rule for the user via this client_id.
If it is write role, I can send the client_id via mothod update, delete, create and get it out by
request.resource.data.cliend_id and check it.
But if it is read role, I don't have any way to send to the client_id via the get method to authenticate users
I even thought of replacing all the get methods with the update methods to pass the client_id
But the response of the update method is just the update_time, not the object I updated
Firebase RTDB & Firestore Rules uses their own auth only. In every request that firebase client library sends uid along with jwt token and other security parameters. These are fundamental to firebase's working and thus can't be replaced.
As Aleksey mentioned, you can try custom auth. It is specifically tailored for such use cases only.
There is no way to provide extra data to security rules for the purpose of limiting read operations. That would not be secure at all, because a client could simply fake whatever they want in the query.
You can only use information provided by Firebase Auth available in request.auth, the data in the document itself in resource.data, or the contents of other documents using get(). If you want to attach additional data to the user account, consider using custom claims.

Duplicate data between Firebase Authentication and Firestore

I have a small question about managing data between Firebase Authentication and Firestore.
For example:
The Firebase Authentication API stores the email of the user.
But we also use Firestore to store the other details about the user.
So the question is...
Should we also store the email on Firestore ?
I feel that a duplicate data is never a good idea. But having the email directly in Firestore should be faster and easy to access.
Thank you
I feel that a duplicate data is never a good idea.
When working with NoSQL solutions I'd highly recommend letting that feeling go. Read NoSQL data modeling and watch Getting to know Cloud Firestore for more on this.
One of the things you'll learn from that is that your data model will typically evolve for the use-cases your app needs. For example, if you want to allow the user to see or search all email addresses, that functionality is not standard available in the client-side Firebase Authentication SDK. This means you have a few options to build this functionality for your users:
The server-side Admin SDKs of Firebase Authentication do have the option to look up the email address for a user, or to list users. So you could wrap this functionality in an end-point you create and secure (for example with Cloud Functions).
You can also write the user information to Cloud Firestore (or the Realtime Database) when the users registers, and then look it up there from within the app, using Firebase's security rules to ensure all access to the data is authorized.
This is just one example, and as I hope is clear, it is based on speculating that your app needs certain functionality. But it's quite common that developers store user information that is also in Firebase Authentication in a database too.

how to make authenticated requests to Firebase Realtime Database with api key

What I want is to perform rest requests to Firebase Realtime Database from my esp8266 with micropython firmware without complex authorization process.
I know that I can turn off authorization at all in the rules but I'd prefer to have at least some basic security.
Can't I just use my Web API Key for this purpose?
Here is a doc which tells that there are 2 ways of authentication: oauth2 and generating key manually. Second way seems almost what I need but it requires setting up Admin SDK and as far as I understood still requires regenerating the key from time to time.
So eventually I have no answer to a simple question: how to authenticate rest requests to the Firebase Realtime Database in the most simple way?
The same page you linked to contains a section on using legacy tokens (also known as "database secrets" in the past). While those are not recommended anymore, they continue to work and are as simply as adding the (non-dynamic) database secret to your URLs.
I suggest you read the links at the bottom of the documentation. But I do recommend that you switch to using the OAuth or ID Token flows as those are much more secure.

Resources