I just started learning node, express, and Firebase and after digging around, I've decided to ditch express's express-session API and go with Firebase's authentication system.
I'm trying to build a simple app that can handle multiple user sign-ins with express but I'm lost on where and when to use Firebase functions. I know I need some sort of session on the client side, but I'm unsure how to implement it.
Below is what I want my app to do:
Log in with user credentials
Store user information in a session object
Redirect to the dashboard
Retrieve user details from session object
Here is what I have so far:
app.post('/login', (req, res, next) => {
firebase.auth().setPersistence(firebase.auth.Auth.Persistence.LOCAL)
.then(function() {
firebase.auth().signInWithEmailAndPassword(req.body.email, req.body.password).then((user) => {
res.redirect('/dashboard');
})
.catch((err) => {
res.send(err);
});
})
.catch(function(error) {
// Handle Errors here.
var errorCode = error.code;
var errorMessage = error.message;
console.log(errorMessage);
});
});
I've read up on Admin SDKs, authChange, tokens and client SDKs. I'm a total newbie at this and I'm blown away by all the information. I feel like I'm missing an onAuthChange statement, but I'm unsure where to put it. This is also a testing nightmare because my local server returns an error when I use persistence.
How can I use session-like objects in Express? What do I need to implement to make sure multiple users can use my app at the same time?
I found my answer. There's no need to initiate sessions in the back end because Firebase functions create a session object in LocalStorage. Powerful stuff.
Related
Well, I'm really lost here so any help would be great. My app works with a DOTNET6 API backend and a Vue3 frontend.
I'm registering users via Google Sign In directly from my frontend (Vue3) with this code:
async googleLogIn() {
const provider = new GoogleAuthProvider;
var gUser;
await signInWithPopup(getAuth(), provider)
.then((result) => {
gUser = result.user;
console.log(gUser);
})
.catch((error) => {
console.log(error);
});
}
The user gets correctly saved in Firebase, and that should be all. The thing is, even though I'm not interacting with my DOTNET API, said API gets shut down without specifying the error. The message displayed in VS Debug Console is : ...\my_api.exe (process 32400) exited with code -1.
I believe the ports used by my API might be the problem (already tried changing them but it keeps failing), but I don't understand why the Google Sign In would interfere with my local API.
How long do the firebase credentials last in the web client, I am making a web application that is planning to stay offline for months and when they get back online it will be updated. What I need to know is how long they last, can the time be increased?.
I have looked in the firebase documentation but I have not been able to find the desired information
I mean these credentials https://i.stack.imgur.com/dZqH5.png
This information is from the documentation right here:
firebase.auth().setPersistence(firebase.auth.Auth.Persistence.LOCAL)
.then(function() {
return firebase.auth().signInWithEmailAndPassword(email, password);
})
.catch(function(error) {
// Handle Errors here.
var errorCode = error.code;
var errorMessage = error.message;
});
The word "Local" indicates that indicates that the state will be persisted even when the browser window is closed or the activity is destroyed in React Native. An explicit sign out is needed to clear that state.
So the user stay logged in forever unless the browser is re-installed or data is cleared.
There are other two mode alongside 'Local' - 'Session' and 'Null'. You can read about them in the link provided above.
By the way, it's "LOCAL" by default.
Not sure if this is what you're looking for, but it appears the behavior of firebase credentials is customizable.
i hope i don't get downvotes on this one, i've been trying to set up web notifications for my CMS using Firebase, and i noticed that Google's Firebase documentations on the topic are huge, i mean very huge you get confused.
So far i managed to add the functionality of letting people subscribe to the notification by letting the browser asking their permission to send them notifications, then i get the unique tokens after they accept and store those tokens in my database, i also managed to change the location of the service worker and everything looks good and dandy.
Now, i want to send a notification to all my users (tokens) that are stored in my database, i think looping through them and send a notification using CURL to each one individually is a nasty solution. I can't find a documentation on how to send a notification to all my tokens in one CURL call.
This is my code so far:
<!-- Firebase Technologies -->
<!-- Firebase App is always required and must be first -->
<script src="https://www.gstatic.com/firebasejs/5.1.0/firebase-app.js">
</script>
<script src="https://www.gstatic.com/firebasejs/5.1.0/firebase-
messaging.js"></script>
<script>
// Initialize Firebase
var config = {
apiKey: "AIzaSyAR84lF2vbnfUWPZ2899dnqiTthgvfv7Ms",
authDomain: "lazemnicms.firebaseapp.com",
databaseURL: "https://lazemnicms.firebaseio.com",
projectId: "lazemnicms",
storageBucket: "lazemnicms.appspot.com",
messagingSenderId: "268754114869"
};
firebase.initializeApp(config);
messaging = firebase.messaging();
//Registering the service worker
navigator.serviceWorker.register("firebase-messaging-sw.js", {scope: "firebase-cloud-messaging-push-scope"}).then(function (registration) {
messaging.useServiceWorker(registration);
}).catch(function (err) {
// registration failed :(
console.log('ServiceWorker registration failed: ', err);
});
permissionGranted = false;
messaging.getToken().then(function(currentToken) {
if (currentToken) {
console.log(currentToken);
permissionGranted = true;
//sendTokenToServer(currentToken);
//updateUIForPushEnabled(currentToken);
} else {
permissionGranted = false;
}
}).catch(function(err) {
permissionGranted = false;
});
And also if a user got a refreshedToken, how can i know this user's old token so i can remove it from my database after i store his/her new token?
Those questions are really troubling me.
Thanks in advance.
The v1 API currently only allows sending to a single token at a time. Multicast is planned to be added (it was present in the previous API), but I don't have a timeline for when it will be available. So right now that means that you'll need to do a call to the FCM API for each token.
There is nothing built-in to know the previous token for a user. The typical way to do this is to keep the "last known token" in local storage, and unregister that when you get a new token. Alternatively, you can instead catch the errors that indicate an invalid token when sending messages, and remove them from the database that way (see an example of that here). A combination of these two approaches is probably best.
Writing a mobile app with Firebase being my backend, also using ES to power my search. I'm completely new to ES.
Suppose each user can publish articles, each of which contains some number of tags, which denotes what this article is about, kind of like questions asked here. Users can search for articles, with tags, and articles containing that tag will be displayed. I manage to do that with Cloud Function, so, the Cloud Function basically looks like this:
exports.articleSearch = functions.https.onRequest((req, res) => {
const { tag } = req.query;
const ElasticSearchConfig = {
uri: '..<my elastic cloud url>/articles/article/_search...',
method: 'GET',
body: ...,
json: true,
auth: {
username: '...<my elastic cloud username>...',
password: '...<my elastic cloud password>...'
}
};
// If succeeds, send results back to user, if not, send error back
request(ElasticSearchConfig).then((results) => ...)
.catch((error) => ...);
});
This works, however, it's a bit slow, because I'm not running ElasticSearch on user's devices, instead, through a cloud function. But if I do run the above code on user's devices, you noticed auth property of ElasticSearchConfig object, I'm basically giving everybody permissions to access and manipulate my ES server. How can I run the above code on user's devices and at the same time, prevent them from reading or writing anything without proper permission?
There's no secure way to do what your asking. Even if it was possible, you don't want that kind of processing client side draining the battery, especially on mobile. Your slow response from cloud functions may be caused from the function entering a timeout state, meaning it hasn't been called in a while.
In our application we use Firebase's custom login functionality to store some metadata in user's auth token.
Later we send this token to one of our web applications to perform a task on behalf of the user using a new admin token to disable security rules. The idea is that a particular location is not writable by authenticated users directly, but data could be written in that location after some server side calculations and validations are done.
Here's a sample code of what I'm trying to do:
var testRef = new Firebase(firebaseApp + 'test');
testRef.auth(userFirebaseAuthToken, function(error, result) {
if (!error) {
var userId = result.auth.userId;
// perform validations and calculations
var tokenGenerator = new FirebaseTokenGenerator(firebaseSecret);
var token = tokenGenerator.createToken({admin: true});
var protectedRef = new Firebase(firebaseApp + '/protected/');
protectedRef.auth(token, function(error) {
if (!error) {
protectedRef.child('foo').push({id: userId});
}
});
}
});
But I get this error:
FIREBASE WARNING: set at /protected/foo/-Ityb1F6_G9ZrGCvMtX- failed: permission_denied
When desired behavior is to be able to write in that location using an admin token.
I understand that this might not be a Firebase issue, but some JavaScript good/bad parts, but what I need to do is to write in some protected location on behalf of a user which even though is not authorized to write in that location, but needs to be authenticated.
Based on what I've seen from my test units and from experience, I don't think that new Firebase actually gives you an independent connection to the data. That is to say, these are both connected to the same Firebase instance internally (I think):
var refA = new Firebase('...');
var refB = new Firebase('...');
So if you want to re-auth, I'm pretty sure you need to call unauth first, which will probably affect your testRef instance as well.
If you truly need to have multiple instances opened to the database with different auth at the same time, then you'll have to look at node-fibers or some other worker pool model, which will allow separate connections.
However, give some thought to this; you are probably overthinking your approach. If you are writing on behalf of a user who doesn't have permissions, then you probably don't actually need to be authenticated as that user.
I've written an entire app with secure Firebase components that are consumed by a third-party app, and then written back to privileged paths and then read by users, and haven't yet run into a condition where the server would need to demote its permissions to do this.
That's not meant to presume I know your use case, just to give you some encouragement to keep things simple, because trying to juggle authentication will not be simple.
My approach is to treat the Firebase security rules as a last defense--like my firewall--rather than part of the programming algorithm used by privileged processes.