Is it recommended to manage users in the client side or in the server side?
I'm worried about the authentication that has to be done in the client side if I manage the users in the client side.
Yes, you should manage user data on the server. Firebase already provides facilities for this: https://firebase.google.com/docs/auth/users
I run at the same problem it seems that Java server side API in firebase-admin JAR lacks these methods.
Red line in documentation https://firebase.google.com/docs/auth/admin/manage-users confirms that :(
Related
I am implementing an app using Nuxt3 and Firebase.
Currently, the authentication is using a plugin. The problem is that to define firebase tools in the plugin I have to use a public variable containing the API keys etc ... So everything looks to be visible into the client side.
I am looking for a secure way to implement auth on the server-side. How can I proceed to avoid any problem ?
Thanks for help
If you are concerned that your firebaseConfig is exposed on the client side, that's fine.
As answered in this thread, that config simply identifies it on the firebase server.
I am planning to use Firebase App Check to verify that requests made to my backend services (including Firebase) will be from my app only.
I would like to know how can i validate / verify that the App Check token sent from the method FirebaseAppCheck.instance.getToken() on my backend ?
PS : my backend is in python but i am more asking about the way to verify than the code, but if you provide the code in python as an example it will be appreciated.
This may be what you're looking for firebasedocs
You can only take advantage of that verifyToken api if you're using a Node.js server, otherwise it's not available yet.
You can manually verify the token though:
https://firebase.blog/posts/2021/10/protecting-backends-with-app-check
Right now I have my Server Key for Firebase messaging hardcoded in my code.
Is this a security problem for when I deploy my app?
Can I get this key programatically?
Yes it's a security issue,according to this official document at the bottom says.
Important: Do not include the server key anywhere in your client code. Also, make sure to use only server keys to authorize your app server. Android, iOS, and browser keys are rejected by FCM.
And I don't think "get this key programmatically" is good idea because you still downloaded key to the client,or using other way to store in the client.
There's no way to protect in a serious way the key in your apk. Getting the key would be quite easy, so you have a big security issue and your poor security design could have bad conseguences, see for example what GDPR says about privacy. Remove the key, change it if possible and implement a server to communicate with your clients and send push messages.
For a little project I want to send push notifications directly from the app (without a backend).
As I read from the FCM documentation while this is technically possible with a simple HTTP POST request it's discouraged because in this way I have to hard-code the server key that will become easily retrievable with a little of reverse engineering.
So I though to add my server key in the Firebase remote configuration and use that.
What do you think? Are there some contraindications?
Thank you very much.
Storing the key in Firebase Remote Config doesn't make the approach secure. After all: the app still needs to be able to access the key and thus remote config.
Any solution that uses the server key in the client-side code is susceptible to abuse.
I have a meteor application (with meteor Accounts), and am building a mobile application. How do I authenticate users from the mobile app. I have a python webservice that can send data to mobile clients. But I have no clue how to authenticate from the external app.
I did look at DDP client, but there is no 'authenticate method'. Is there any way to do this with a pure python solution? I have access to the 'users' collection -> srp verifier and salt.
Note: Python srp didn't work. The salt and verifier generated by python srp are supposedly bytes. However I can't even decode them using bytes.decode(encoding)
It sounds like you want to use the out-of-box account management baked into Meteor, then surface a mechanism that your PHP code can call to show different information based on who is authenticated.
If that's correct, I think your best bet is:
Build a PHP DDP Client. Meteor isn't really built to expose webservices in a traditional sense, but rather surface what they call a DDP protocol for external sources to plug into the server-side publications. That said, I have not yet found a PHP DDP client, but here is one in node, and one in .NET. You'll want to build a PHP DDP client and then write a Meteor.method in the Meteor server code that you can remotely call from your DDP client to check for a user's authentication.
BUT, if all you're doing is surfacing marketing information in your PHP site, perhaps it makes more sense to either (1) keep the entire app in PHP and use a native PHP account management system, or (2) save yourself the trouble of the DDP overhead and write the exposed marketing page directly in the Meteor app? If you need to keep it from a different server, consider a simple iframe?
I just developed a DDP client for PHP, which might be what you need. Check it out here :
https://github.com/zyzo/meteor-ddp-php