This is kinda open ended question. Just wanted to get some comments / views / pointers on my situation. Before I start with my question I would like to disclose that I have never worked on backend before.
I am trying to build backend for an iOS app that creates user account based on phone number, take some basic information from user such as first name, last name and address. Based on that information I am planning give custom suggestion of weather / whats around etc.
Now for authentication I am using Digits from twitter (https://docs.fabric.io/ios/digits/index.html). But I am not sure how to do whole user management as such. Example collecting more information assigned to same user who was authenticated using phone number.
I thought of using Google's Firebase and Stormpath for user management but they seem to have there own authentication flow. Is there a way to combine either of these with Digits?
Any comments / pointer will be highly appreciated.
I work at Stormpath on our iOS SDK. Unfortunately, we don't have an integration with Digits or phone number based login at the moment, although it's on the roadmap. While it's technically possible to integrate them, for a casual project, I'd suggest using Facebook / Google Login.
Digits is really cool and useful, but Digits' integration on the server side unfortunately doesn't come with many examples, and may be difficult for you to understand if you haven't done it before. Facebook / Google login is a bit easier to implement (or even Facebook's AccountKit for phone number auth).
For using Stormpath to build a backend + mobile app, I've written a set of tutorials you can use to do Facebook or Google login.
Build a REST API for your Mobile Apps using Node.js
Build an iOS App in Swift that uses a REST API
Related
I have a mobile app that does two things. The first one is to use Firebase to implement a chat. On the other side, the apps, uses a REST API to retrieve some info from a database and do some writes on it. Simple as that. The app provides a login system: two text fields and a button. The user provides an email address and a password then I used the standard Firebase function to do the login using signInWithEmailAndPassword(). The thing is that I should use the same credentials to do the login using the REST API to access the other database. At first I decided to do the call to Firebase and to the REST API in the same function. One other possible solution could be a web service. I'll explain how. A web services written in Python, PHP or JavaScript generates a JWT token that is sent to the mobile app after the user asks to sign in. I'm pretty sure that this is possible like shown here: https://firebase.google.com/docs/auth/admin. The latter seems too over-complicated to me. Now, the question is. Can someone suggest a solution, the most simple one, that can be used is a scenario like this? Thanks all in advance.
In short: In GCP credentials can be restricted with application restriction and with API restriction, but Identity Toolkit API cannot be restricted on Expo mobile application.
-In web both restrictions work
-On android/iOS API restriction works but (as I have tested, correct me if I'm wrong) application restrictions does not
Now if using email/password authentication there is an issue.
There is a huge insecurity here as if anyone gets to know your API key (you define in initializeApp and so you connect to Firebase with and so use with Identity Toolkit API).
They can only by knowing that key call Firebase Auth REST API "Sign up with email / password" from anywhere and create users for your project!!
Am I wrong, missing something or can this be prevented somehow?
Things you can do to prevent this:
In "GCP>credentials>Identity Toolkit API" you can lower "Queries per minute" and "Queries per minute per user"
You can in "Firebase>Authentiction>Sign-in method>Manage sign-up quota" lower the quota from same IP address to minium (but does this help in case of android/iOS application?)
But there is no completely secure solution unless you can application restrict your API key as far as I know.
I got the following answer from Firebase support and since there has not been answers I will add this as correct answer for anyone looking solution for same thing or seeing this question.
First of all, I would like to thank you for choosing Firebase to
implement your application. I know that these kinds of situations
could be frustrating, let's work together to provide the best solution
for you.
I have checked your case and I would recommend that you reinforce your
Security Rules, because this is not a security risk, as long as you
secure access to the data within your project correctly for your
requirements, as it is mentioned in this external entry.
We don’t have a way to know the origin of those emails, even if they
were created by real users through your app, but if you identify fake
accounts you can use Cloud Functions to delete all emails registered
with that pattern using Auth triggers. Alternatively, you can delete
the accounts after an established time without activity using Schedule
Functions.
Additionally, if you don’t want to have users on your application, you
would probably need to use the Admin SDK and authenticate the
application by service account instead.
I was searching for a simple way to link 2 or more project users just like google account for Youtube, Google Drive and Amazon account for amazon app & prime video app
On mobile these apps don't really require you to enter your credentials again but use the same account, without need of creating a new one as an account is already created by the user for another service from the same Provider/Company.
Is there any way to use Firebase / GCP to implement such functionality??
I also saw this thread, but it is using a third party identity provider called jumpCloud, is there any way I can build it from scratch?
https://medium.com/#tfalvo/single-sign-on-sso-for-your-firebase-app-with-saml-f67c71e0b4d6
Actually you would need to use The identity platform in tandem with Firebase.
Please also check the detailed answers provided on the Stackoverflow-link which is related to Implementing Cross Project User Auth (Single Sign On) like Google account using Firebase/ GCP.
It seems like there is already a Feature Request opened to have this feature implemented if the above two solutions are not applicable to your situation.
My boss has charged me with the task of finding how to integrate WeChat into our photobooth's "Total Share" section.
Our photobooths work under windows and their software is a mix of Java and a PHP web API installed locally, that then connects to a web service.
The intention is to give the user the option to, when their picture is done, get a copy of it via WeChat (I guess that by introducing it's phone number)
Through my searches I've found a WeChat JS-SDK, but that seems to connect sites you are watching on your phone with your actual WeChat app so it doesn't work in my case.
The other source I have found is the Official Account Admin Platform, but I'm not really sure if this would allow me to do what I need. As far as I've seen, the Official Account can send messages in response to a trigger (that would work for me, send a message when the user clicks on the button), but it also seems to need that they "subscribe" (in a way) to the Official Account, and secondly I'm not sure how can this be automatized.
Especial mention:
I'm a junior developer, so API integration is a bridge I haven't crossed yet, and as such I'm utterly lost.
Is it possible to get the functionality I require? If so, what are the steps to do it?
You don't need to make a fully fleshed tutorial to write an answer, just knowing in what direction should I go, and maybe some possible caveats that more experienced developers may be able to foresee, would be great.
Thanks.
On their Overview page one of the bullet points under "What it does" is:
Multiple users can collaborate with the same data at the same time
However there's nothing in the documentation to suggest how this can be done, all the real time syncing is done only between devices logged in with the same user. Their own Simplenote app which is built on the platform does allow multi-user collaboration, but this would appear to be using a private API that is not available to normal Simperium clients.
Is there something I've missed? Is it a feature that will be added in the future? If so, when?
We didn't release the collaboration feature yet, but if you'd like to test it, please, mail us and we'll get in touch with you: jorge.perez#automattic.com
Thank you!