i have built a webapp using angular material and firebase functions + realtime DB as the backend. I am using slack "Sign in with Slack" API oauth flow. All works well and i am able to generate a accessToken in the backend which i can store against the user in the realtime DB. Once that is done i make a redirect call to my angular app on the dashboard page. Currently i am passing userid in the redirect url which i use to drive user to dashboard and show his data.
This functionally works fine but is a big security issue. As i can directly type the redirect url and boom. I am in the dashboard.
So, how do i solve this? What should i be doing in the url redirect that is secure and validates the response is the the result of a valid request?
I am not familiar with the Slack OAuth SDK but in general, this is true for all OAuth providers. Ideally, at the point where you redirect to your callback URL with the slack authorization code and you exchange the auth code for a Slack access token before returning that access token to the client, you call the Slack API to get the Slack user ID with the access token and then mint a Firebase custom token with that uid. You then return that custom token to the client and signInWithCustomToken. Make sure you are checking the state field (which you set when started the Slack sign in) along with Auth code to verify that the flow started and ended on the same device.
Related
I am working on project using Next JS + NextAuth package. For user authentication we are using NextAuth with Custom Credentials provider. I am making a sign in REst API request to Firebase to get the user logged in and saving all necessary bits like Firebase tokens(access and refresh) in JWT.
The flow works.
Where i am stuck: Changing user password.
Password change is pretty straight forward using firebase client SDK. But I am using Firebase API:
https://firebase.google.com/docs/reference/rest/auth#section-change-password
the flow to change password requires:
Provide latest access token in API request above.
If the latest Access token is not provided, the API would send back error like: TOKEN TOO OLD or RE AUTHENTICATE
So this to work, we need to reauthenticate the user prior to making that change password request.
What I have managed to do:
When user request password change, user needs to provide current password.
Using the current password, i would re sign in user using API end point:
https://firebase.google.com/docs/reference/rest/auth#section-sign-in-email-password
This would work but now I need to update the latest access token in the JWT using NextAuth.
At this point i am stuck:
Refreshing the JWT using Next Auth; as soon as the user is re-signed-in and again when password is changed and new access token is sent back from Firebase.
When I try to refresh the JWT with new access token (etc) token using NextAuth client side callback: https://next-auth.js.org/tutorials/refresh-token-rotation
The application breaks due to access tokens are not synced on JWT and on firebase.
Questions:
Is my flow correct changing the user password?
Is there better way of doing this?
Any help is appreciated. Thanks
I have a project that requires the usage of login via Facebook and Google, so I picked Firebase to speed up the process of authentication; However, the user must also be able to login via LINE(a messaging app popular in SEA).
Currently, I have implemented:
Line Login-> Finish Login -> Redirect to Cloud Functions -> Verify Line's Access_Token -> Create a User In Firebase from LINE's ID Token -> Create Custom Token from Firebase User
All that's left is to implement signInWithCustomToken and then get the idToken from firebase to send to my api for authorisation.
Now, the signIn process should be handled by the client side, but I am not sure how to pass the customToken to the client side(Our backend api and frontend client is separated).
I could pass it in a query param as I redirect the user to the frontend, but I am not sure if that's the best way to go about it.
What should I do?
After the user has logged in to LINE, it redirects to any link you set
for it to redirect to with the url params being the authorisation code
and state, so ?code=xxxxxx&state=xxxxx ... I decided to use cloud function to be the redirect url for the LINE Login
If I understand correctly, instead of directly redirecting LINE to the Cloud Function, you should probably redirect to a page of your web application which, in turns, calls a Callable Cloud Function (passing the code and statevalues as arguments).
This Cloud Function verifies the token as well as creates a user in Firebase and when this is done, sends back the token to the page of your web application. You then have all the elements to call the signInWithCustomToken() method.
I am implementing Firebase OAuth with Twitter in a Game Maker app.
Note that Game Maker does not support SDKs so I am using 3-legged OAuth sign-in with REST.
After redirecting the user to the sign-in page for Twitter, I don't know how to handle the callback to the firebase URL and get the authentication data back to my Game Maker client.
I got the first step of the sign-in working, which is the POST oauth/request_token request to api.twitter.com; in the response I'm receiving oauth_token, oauth_token_secret and oauth_callback_confirmed.
After that, I'm opening the following URL in the user's browser: "https://api.twitter.com/oauth/authenticate?oauth_token=[oauth_token]"
That sends me to the Twitter sign-in page, which then redirects to the callback URL set in Firebase (and whitelisted in the Twitter dev console): "https://[APPNAME].firebaseapp.com/__/auth/handler" with the oauth_token and oauth_verifier query parameters.
The guide says this about this step of the 3-legged sign-in:
Upon a successful authentication, your callback_url would receive a request containing the oauth_token and oauth_verifier parameters. Your application should verify that the token matches the request token received in step 1.
I don't know how to reiceve the request to the callback_url and process it. Is it something I'm supposed to do from Firebase itself? Is my Game Maker client supposed to do it with a GET request? I have no clue.
I ended up setting up a Cloud Function as a callback.
This way I am retrieving the response directly from the function and storing the data/errors in the database.
I want to migrate from existing Facebook authentication to Firebase authentication.
My current schema:
API server:
POST /signup?access_token=&id= # Signup endpoint that accepts Facebook ID and access token and responses with: user ID (crated in API server DB) and its tokens pair (access/refresh)
POST /signin - mostly the same as /signup, but has additional step to check whether the user exesit in the database or not.
POST /refresh_token?refresh_token= # Returns a new pair of access and refresh tokens
What should I do to seamlessly migrate existing users to Firebase Auth?
I suppose that the first thing I should do is sync new users with Firebase.
So I should add a step to /signup handler that will register newly created users in Firebase.
Then I should migrate existing users to Firebase, right? I could success in it with Firebase CLI and JSON file with my users, so there is no question with this step.
But I can't understand, how I can do the first step: sync newly users with Firebase.
I use Ruby, that doesn't have Admin SDK implementation, but it is not a problem for me, REST API is OK.
I think this one https://firebase.google.com/docs/reference/rest/auth#section-sign-in-with-oauth-credential is the right place for start, it looks like definitely what I need.
The problem is in requestUri parameter. Documentation says: requestUri string The URI to which the IDP redirects the user back.. Hm... I don't interact with user at all, it is a server-side code.
What URL should I use? I didn't know and decided to use the default value: http://localhost. So it was failed.
UPD 1:
API:
V1:
/signup => Register user in my DB, issue tokens
/login
/refresh_token
V2:
/signup Deprecated in favor of client side Auth
/login -//-
/refresh_token -//-
Client for API v1 (Facebook Auth):
Authenticate user with Facebook Auth
Make request to API V1 /signup or /login|/refresh_token
Client for API v2 (Firebase Auth):
Authenticate user with Firebase/Facebook Auth => Creates user in Firebase DB
What I want is consistent and compatible API for clients V1.
Any existing client (application) for API V1 should be able to send a request to v1/signup endpoint and finish with the same state as clients for V2: user account is created in Firebase
I think you may be looking for this resource: https://firebase.google.com/docs/auth/web/facebook-login
You'll want to integrate the Facebook Login (and whichever other logins) so users can sign in. If a new user signs in, then Firestore automatically created an account associated with the new user.
In my firebase (Angular) app, I'm using firebase authentication to log a user in via their Google Profile. As part of this process, the user gives me permission to access their gmail account (scope 'https://www.googleapis.com/auth/gmail.compose').
After the user has logged in this way, I want to configure the "gapi" google javascript SDK so that the "signed in user" is the user signed in via firebase auth. Here's where I'm having trouble.
It appears that I need to set the client token for the gapi sdk like so gapi.client.setToken(userAccessToken) and the token needs to be set before the gapi client is initialized. Attempting to do this doesn't seem to work however (a call to gapi.auth2.getAuthInstance().isSignedIn.get() returns false when it should return true).
I also can't figure out a way of changing the "signed in user" if the firebase user logs out and a new one logs in. This is because, again, the gapi client seems to require the gapi.client.setToken() be called before the client is initialized, and I can't see any way of re-initializing and already initialized gapi client.
I can get the gapi client working if I use the gapi client's own gapi.auth2.getAuthInstance().signIn() method, but then the user is asked to sign in to my app twice using (from the user's perspective) identical google login popup boxes (one prompt originating from firebase auth and the other from the gapi client).
Does anyone have any suggestions / tips? After someone logs in via firebase auth I can get access to their userAccessToken, I just can't figure out how to programmatically pass that to the gapi client in a clean way.
Ideally:
on application load the gapi client would also load and initialize.
When a user chose to sign in, I would be able to use Firebase Auth to log someone in via their google profile, then get their access token and pass it to the gapi client to make google api calls.
If the firebase user ever logged out, I would clear the gapi client's api token.
If a new firebase user logged in, I would re-set the gapi client's api token.
I have come upon a placeholder (i.e. non-ideal) solution to this problem by following this S.O. answer.
In short, the GAPI client does not seem to let you manually pass it an access token, but the firebase auth client does let you manually pass it an access token. So, instead of handling authentication with the firebase sdk and passing the token to the GAPI client, you need to do the reverse and handle authentication with the GAPI client and then pass the token to the firebase SDK.