I would like to use Firebase Auth to authenticate mobile phone clients, but I have an existing PostgreSQL database with lots of functions and triggers that I do not want to convert to NoSQL. Is it possible to authenticate users with Firebase and then allow them to read and write data to the PostgreSQL database securely? What would be the proper way to do this? I come from a web development background so I'm used to session-based authentication instead of token-based authentication. Trying to wrap my head around it.
If you already have a backend talking to your PostgreSQL database, you can get a token with user.getToken() (https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseUser#public-constructor-summary) and then verify the token on your backend (https://firebase.google.com/docs/auth/server#verify_id_tokens). Then, use the uid from the token as the user's ID.
Related
We use firebase to authenticate a frontend application in the standard process- The application connect to firebase and ask for token, than the application send this token in every API call to the server, and the server validates the token.
Now if we want to expose some of our endpoints and supply api access (e.g users will be able to login without browser), how should we do the authentication?
The users will send username and password, and we will need to authenticate against firebase with the credentials.
Is there best practice or guideline to how to approach this?
I want to still leverage firebase security features that I don't need to manage by myself (for example, preventing brute-force attacks), but not using the browser.
I'm building a social media app with a focus on group chatting. I am working on creating a new user. Firestore provides this function to begin the process of creating the user from the client:
auth.createUserWithEmailAndPassword
However, I read that it's safer to try to minimize what lives on the client side and do most of the app's work on the server side. Should I use the function above (on the client) or should I make a custom function that passes the email and password to the server and create the user there?
Firstly, auth.createUserWithEmailAndPassword is not a Firestore method. It's a Firebase Auth method. Firestore is a database, Firebase Auth is an authentication service. It's good not to mix up their responsibilities.
The options you're proposing are not, in practice, any different in terms of security. That's because the Firebase Auth service provides a public REST API for creating new user accounts that's accessible to the world if you've enabled email and password authentication for your project. It doesn't really matter if you invoke that from a frontend or backend - the net result is the same.
Do whatever you find most convenient. Firebase Auth was designed so that users can create their own accounts using the authentication providers that you enabled. Adding another backend service to that seems to just add more work for no extra benefit.
I am trying Firebase to authenticate users for a website that was initially built on Flask (using the flask login workflow with a postgres DB). However, I am not sure that I have a correct understanding of what would be considered best practices when using Firebase.
I read through this article, which I think has led me down a suboptimal path when it comes to actually managing users.
My questions are:
Should all the Firebase authentication be handled in the javascript?
If so, should I use the request.headers on the backend to verify the identity of the user?
Any tutorials (aside from the Firenotes one, which I am working through) much appreciated.
Should all the Firebase authentication be handled in the javascript?
No, it doesn't have to be JavaScript. But in general, you'll find that most apps using one of the existing Firebase Authentication providers handle the sign-in of the user in their client-side code, with calls to the authentication server.
If so, should I use the request.headers on the backend to verify the identity of the user?
When calling REST APIs Firebase itself passes the ID token of the authenticated user in the Authorization header, so that's a valid approach indeed. On the server you can then verify that the ID token is valid, and decide what data this user has access to.
I have a firebase web app calling my Python API.
the user who is using my app does not need to login to use it but I still need to make sure that this request coming from my application
How can I verify the identity of the app sending the request?
There is no way to enforce that calls can only come from your application. In a database that is directly accessible from the internet, that is simply not possible. Anyone who can use your web app, can take the configuration data from that app and use the Firebase API to make their own calls.
That's why it's important that you enforce all business rules that you have for your database in Firebase's server-side security rules too. You can use these to enforce data structure, and (when combined with Firebase Authentication) ensure that all data access is authorized.
You can use Firebase Authentication without requiring your users to enter credentials by using anonymous authentication. This essentially gives your user a unique ID, that you can then use to identify that user (and the data they create) in security rules.
I want custom firebase authentication where a user manages the roles of subordinate users. I need guidance on understanding on how to implement my own backend authentication system. Everywhere the documentation keeps mentioning that 'send the username and password to your backend that will generate a custom token'. What is this backend? where do I pursue this? My knowledge domain is firebase, firebase functions, angular 2/4, ionic2 for this discussion... thanks
To use custom authentication, you need to create a JSON Web Token (JWT) on your existing backend server, after you have used your existing backend server to validate the username and password of the user (or however else your backend server validates your users).
To create that JWT, use the configuration described at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
There is PHP and Ruby code available at that page, for anyone using a language that does not have an SDK available from Google, but which does have a JWT library available.
The JWT is signed with your private key, which you can obtain as indicated at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
Although that page describes initializing the SDK, this section also has instructions for creating the private key for your service account using the Firebase console at https://console.firebase.google.com/u/0/project/_/settings/serviceaccounts/adminsdk
You will have to send the email password to the firebase sdk in using javascript in web then when the sdk success functions tell that the user has been authenticated the web page will send result to your backend server (can be nodejs or php etc) from there you have to manage your own database to handle all the role base access.
Firebase is basically authenticating the user for you and telling you that you can identify this user using the following userid and then build your own system.
Firebase has access rules but those you have to define first you cannot fully customize them for each user.
For password auth see this:
https://firebase.google.com/docs/auth/web/password-auth
An easy way to do custom auth with Firebase is using an external identity provider. Auth0 is an example of such a provider.
Guide:
https://shusson.info/post/using-firebase-and-auth0-together
code:
https://github.com/shusson/firebase-custom-auth