I am using firebase for authentication on my app. There only needs to be one username/password for it, and after X time, i need for it to expire and to generate a new one. I was wondering if that was possible at all
There are no built-in features for automatic account generation or expiration in Firebase Authentication. However, since it has an API, you can implement all of these yourself. For example, here is documentation on creating a new user, and updating a user profile, such as changing their password.
You'll typically need to use the Firebase Admin SDK for these operations, since they require administrative access to your project. That also means you should run them in a trusted environment, such as your development machine, a server you control, or Cloud Functions.
Related
I'm developing an android app with firebase as a backend and I heard a word named Admin SDK. I had searched for it and found it is used to manage data.
But I have a doubt that firebase provides a console webpage (console.firebase.google.com) to manage data, but why there is a separate Admin SDK?
Can someOne please explain...
The firebase admin SDK provides a simple and easy way to modify firebase settings and data using API calls.
For example, you might ask: why should you even have a regular SDK to store data? After all, you can store and save data directly from the web interface. It is, however, simply not secure or practical to have users update their own data each time using the console.
Similarly, the admin SDK is just like the regular SDK but with administrator permissions. For example, it allows you to bypass the rules set up using your firestore rules. The Firebase admin SDK is meant to be used on your backend - so you know it is running trusted software. You know that it will act the way you expect it to, unlike code running client-side that can't be trusted.
For example, let's say that you want to be able to delete a user's post if certain conditions are met. The user will make the request to your server, and it will check if the conditions are met, and then delete the post using its admin privilages. Sure you could technically automate this using firestorm rules, but those can be quite cumbersome and might not work in more complicated examples.
You can also even use it to integrate with other applications like connecting your app to a moderation tool or a curse detector that can't or shouldn't run on the client's device.
Is your question is why does Admin SDK exists?
There are several administrative tasks such as deleting users, listing collections and many more which the client cannot and should not be able to do.
Firebase Admin SDK has admin access to your Firebase project's resources.
It does not obey any security rules and can read/write any of your database, storage bucket..
That is why you must use Admin SDK in a server (or cloud function only). Although I feel Firebase Admin SDK is more useful if you use your own servers and authentication method. If you are using a custom server then:
It can be used to generate custom token so you can authenticate users using your own method (maybe legacy auth system) but still use Firebase Authentication to handle the auth tokens thereafter.
If you use your own database (and not any from Firebase), the Admin SDK can verify the ID Token sent by client and get identity of that user. Thereafter it's could be a simple if-else statement for you to decide if the user has access to the request resource or not.
If I have multiple apps with Firebase (different types and kinds) but want to be able to have 1 user base for all of them (1 account for all apps, even if they only use 1) how would I do this? I was thinking either 1. cloud function (every time someone signs up, add them as a user in the other apps) or 2. A separate project for Auth only and configure both of them in the app, but that might mean requests to firestore, storage, and functions aren’t authorized. NOTE: I'm willing to use GCP products separate from firebase to accomplish this.
If the apps are all part of the same suite, you can add them to a single Firebase project. This is by far the easiest way to do this, but there is a hard limit on how many apps you can have in a project in this way (according to the FAQ, this is 30 at the moment).
If the apps are not all part of the same suite, or you need more than the limit, your only option is to use custom authentication. This means you'll create a custom authentication provider that takes the user's credentials, verifies them, and then creates a UID and token for that user to the client which then uses it to sign in to Firebase.
In the back-end you could possible use a single Firebase project for then generating all these users, although I'll admit it's been a few years since I did that.
Is it possible to create a Firebase token using the CLI that only works for a specific project inside the account? The current way using firebase login:ci looks like it can work for all projects inside an account. I am going to use this token for specifically Github action CI work and might pass around other team members.
I have seen questions like this which was asked in 2019.
I'm planning to use the token with this action so any workaround is appreciated.
It's not possible.
When you get a login token, that token represents the user, unrelated to any projects that user might have access to.
If you want to control the per-user access to various projects, you will have to configure that in the console using IAM for each product that you are trying to control. If you give the user permission to make changes in the console, then they implicitly have permission to make the same changes from the CLI.
So you want to authenticate against Firebase to deploy a service within a CI pipeline.
And you want to scope that access to a specific project only to reduce the impact radius, if the token leaks.
firebase login:ci has (I) a too broad scope (all projects you as a user have access to) and (II) is tied to a specific person, which does not scale well if you get ever offboarded from that project...
The solution is to create a Service Account and assign it the necessary role(s).
You will need to make the Service Account key JSON file available on your CI server and set the GOOGLE_APPLICATION_CREDENTIALS respectively
The Github Action you linked provides actually the ability to authenticate via a Service Account. This means you are good to go
I'm starting with Firebase, and basically, i just want to store data in Firebase, and user from my app will only do a read only. From what i read so far, it seems that firebase only works with authentication, and i've read about anonymous authentication. But i don't see the advantage of being authenticated anonymously, since basically the user will never be upgraded to "permanent" user.
All i want is the user use my app (and only through my app) to get data without needing to authenticate.
What is the best way to achieve this ? Do i create a username and password, and use this for everyone in my app ?
Do i stay with anonymous authentication ? Since i will at first use the Firebase Spark Free, and it says that only 100 simultaneous connection for realtime database, do each creation of anonymous authentication will be considered as opening a connection all the time, thus limited my app to 100 connection/user only ? Is there a limitation for Spark Free in terms of anonymous connection ?
Thank you
You can use Firebase without authentication. Some of the Youtube tutorials on the official Firebase channel even go as far as to show you how to disable authentication on the Firebase Database and Storage. Only disable read authentication for production purposes.
Storage Rules.
Database Rules.
I need to allow my app to fetch general information available in the Database but without making the information accessible elsewhere. In other words, allowing only my app to access some data.
As far as I know, Anonymous login is not an option for me because at a later stage I am login using email and password.
Basically, I am looking for an alternative to Firebase Secret, in order to allow my app to access the data, but not make that data publicly available by making it .read": "true".
In Firebase 2.x the way to do this was using Firebase Secret, but do not know how to achieve the same access without officially login in.
There is a similar question here, but it asks whether or not it is possible rather than alternatives.
Although the Secrets are deprecated now, you can find it under Project settings -> Service accounts -> Database Secrets.
Instead of the Secret, you should use the Firebase Admin in your project.