I am building a platform which consists of a public facing 'website' and a PWA which will be on a subdomain on the same server.
Both web apps use the same firebase project and I was wondering if it is possible to share authentication status between the two. i.e. can I redirect a user to the PWA side without them having to login again?
Both apps are written with React, Redux and Node
Store the authentication token in a cookie with the following domain:
.mydomain.com
where mydomain.com is the public site. Now the PWA can access this cookie as a subdomain of mydomain.com.
Subdomains can not access localstorage of the main domain or other subdomains, but can access cookies in the main domain.
If Firebase automatically writes to localstorage, write your own code to delete it from there (or leave it there), and add it as a cookie.
I don't think you need to put the . in front of the domain for your cookie anymore, but you used to and I still do.
Related
I know that using firebase in a web app requires putting some public config keys in the front end code and that its safe to do so. But I am confused about how firebase would prevent malicious people from just copying those config keys and pasting them in their own sites and initializing the firebase analytics sdk there to try to spoil my analytics data.
In firebase auth, we also give some whitelisted domains and authentication services are only allowed on those domains by firebase. So even if we try to access those auth services from another domain, firebase won't allow it.
So how will firebase differentiate in case of analytics? If the same config keys are put in webpages on two sites abc.com and xyz.com and abc.com is my actual site whose traffic is supposed to be tracked, how will firebase know and discard data from the bad website xyz.com if the person who created xyz just copied my config from my front end code and initialized firebase.analytics() on their site to spoil my analytics?
Let's say I own a fully static website on https://example.com/. Just HTML, CSS and client side JS files.
Next I wanted to implement a basic commenting system allowing authenticated guests to leave comments. My plan is to use a POST form on the site and implement the commenting backend on Firebase with a Firestore database.
Authentication wise, I suppose it needs to deal with two scenarios:
Client authentication. The site itself needs to be authenticated by the firebase backend so that only POST requests originated from the site will be accepted. What should I do? There must be no shared secret between the site and firebase because the site is static and everything in there can be accessed by visitors. Perhaps there is some kind of host based auth? Appreciated if you can point me in the right direction.
User authentication. Guests need to be authenticated before they can post comments; Use OAuth should be fine provided the backend can deal with Facebook, Github etc.
I have a separate frontend (single page application) which is utilizing HERE places API autosuggest feature. However, rest of the application logic which accesses HERE REST APIs is located at the backend side. These services are located on different cloud instances.
I can protect the API credentials by using the frontend SPA domain in "Secure app credentials against a specific domain" in the HERE project page. This blocks the API usage from the backend side. Is there a way to protect the credentials against both services?
You can try the HERE Serverless Apps approach. They provide security of AppID and AppCode: because it is in a central cloud Serverless Application being copied and used in every client application. Read more about it here https://www.here.com/en/aws-serverless.
Update: If you are not able to use Serverless, you can also add up to 10 allowed domains in your project in developer site.
I bypassed this problem by creating separate projects for frontend with domain limits and backend without.
Not an elegant solution, but it works, it's simple, and if I have to block a project in case someone hijacks the keys (everything sent through browser can be read by users) it's just some dynamic maps that wouldn't work until I update the site. Everything else is routed through the server.
How to prevent someone just taking my API keys from the client side javascript code and starting to use my HERE subscription for some other use.
I noticed HERE provide an option to secure the API keys for a certain domain on the applications management page: "Secure app credentials against a specific domain". I have set up this option and also put domain there but I do not see any change on my app behavior.
The application still continue working fine on my PC. Shouldn't the HERE API stop working as web server is running on localhost and not on the defined domain.
My app is running fully on browser, and only static files come from the server (http://localhost:8083/index.html). I am using the HERE javascript API.
I tested also running the app on external cloud service on different domain than localhost. Results are the same. My conclusion is that the setting "Secure app credentials against a specific domain" just has no impact and does not work. Checked also the api response headers and all origins are accepted.
Access-Control-Allow-Origin: *
In your HERE dashboard, you can set the application id and application code to only work on a particular domain or set of domains. If the tokens are fixed to a domain, it won't matter if someone takes your tokens because only the listed domains can use them. If you don't secure the tokens to a domain, then someone will be able to use your tokens if they find them.
I can't get FireFeed OR my own app working with auth, I followed the documentation for this. I copied in the rules and added the keys, what gives? Example: http://flx.me/firefeed/
One think to check when using the Firebase Simple Login / authClient feature is whether or not you have configured the proper application domain in your account. Any domains that you'll be using to host your application and making authentication requests from should be configured in the 'Application Domains' section of Forge (get here by putting your Firebase URL in a browser). For your application, your domains should include flx.me.