authClient isn't working - firebase

I can't get FireFeed OR my own app working with auth, I followed the documentation for this. I copied in the rules and added the keys, what gives? Example: http://flx.me/firefeed/

One think to check when using the Firebase Simple Login / authClient feature is whether or not you have configured the proper application domain in your account. Any domains that you'll be using to host your application and making authentication requests from should be configured in the 'Application Domains' section of Forge (get here by putting your Firebase URL in a browser). For your application, your domains should include flx.me.

Related

HERE API: using app_id and app_code from backend when secured against frontend domain

I have a separate frontend (single page application) which is utilizing HERE places API autosuggest feature. However, rest of the application logic which accesses HERE REST APIs is located at the backend side. These services are located on different cloud instances.
I can protect the API credentials by using the frontend SPA domain in "Secure app credentials against a specific domain" in the HERE project page. This blocks the API usage from the backend side. Is there a way to protect the credentials against both services?
You can try the HERE Serverless Apps approach. They provide security of AppID and AppCode: because it is in a central cloud Serverless Application being copied and used in every client application. Read more about it here https://www.here.com/en/aws-serverless.
Update: If you are not able to use Serverless, you can also add up to 10 allowed domains in your project in developer site.
I bypassed this problem by creating separate projects for frontend with domain limits and backend without.
Not an elegant solution, but it works, it's simple, and if I have to block a project in case someone hijacks the keys (everything sent through browser can be read by users) it's just some dynamic maps that wouldn't work until I update the site. Everything else is routed through the server.

Firebase authentication persistence across two web apps

I am building a platform which consists of a public facing 'website' and a PWA which will be on a subdomain on the same server.
Both web apps use the same firebase project and I was wondering if it is possible to share authentication status between the two. i.e. can I redirect a user to the PWA side without them having to login again?
Both apps are written with React, Redux and Node
Store the authentication token in a cookie with the following domain:
.mydomain.com
where mydomain.com is the public site. Now the PWA can access this cookie as a subdomain of mydomain.com.
Subdomains can not access localstorage of the main domain or other subdomains, but can access cookies in the main domain.
If Firebase automatically writes to localstorage, write your own code to delete it from there (or leave it there), and add it as a cookie.
I don't think you need to put the . in front of the domain for your cookie anymore, but you used to and I still do.

How to secure HERE API keys?

How to prevent someone just taking my API keys from the client side javascript code and starting to use my HERE subscription for some other use.
I noticed HERE provide an option to secure the API keys for a certain domain on the applications management page: "Secure app credentials against a specific domain". I have set up this option and also put domain there but I do not see any change on my app behavior.
The application still continue working fine on my PC. Shouldn't the HERE API stop working as web server is running on localhost and not on the defined domain.
My app is running fully on browser, and only static files come from the server (http://localhost:8083/index.html). I am using the HERE javascript API.
I tested also running the app on external cloud service on different domain than localhost. Results are the same. My conclusion is that the setting "Secure app credentials against a specific domain" just has no impact and does not work. Checked also the api response headers and all origins are accepted.
Access-Control-Allow-Origin: *
In your HERE dashboard, you can set the application id and application code to only work on a particular domain or set of domains. If the tokens are fixed to a domain, it won't matter if someone takes your tokens because only the listed domains can use them. If you don't secure the tokens to a domain, then someone will be able to use your tokens if they find them.

Firebase: Local Development and testing in AngularFire

I am using Angularfire to make a website. I am trying to integrate oauth based sign in with google for user authentication but when I try to run index.html file and try to login following error is displayed
11:59:28.189 Error: There are no login transports available for the requested method.
Stack trace:
Mg#file:///G:/Project/root/js/firebase.js:142:1267
dh/<#file:///G:/Project/root/js/firebase.js:163:141
1 app.js:31:4
I searched on stackoverflow for this and got this answer , it says that I need to setup a server for this.
Then I looked at firebase docs and they said
For security reasons, if you're using a web-based OAuth flow
(Facebook, Twitter, Github, or Google), only domains that you
whitelist are allowed to initiate authentication for your app. This
does not apply to Email & Password, Anonymous, or Custom
authentication methods. All Firebase applications have localhost and
127.0.0.1 enabled by default for local development and testing.
The authentication works fine after I host it on firebase but deploying takes a lot of time and also sometimes even I don't have access to internet.
So please suggest me easiest manner so I can run my app on localhost.
An easy way to locally run a Firebase (or any other) web site is to use the Firebase tools and then run
firebase serve
See this blog post introducing the local server.

App with Firebase and Trigger.io - domain name

I have an app buit with Firebase I want to deploy using Trigger.io.
In the App I'm using the auth.login('twitter') function.
What domain name shall I put in the Auth setting of my app?
Thanks a lot !
Following up on this thread in case anyone else is looking for the answer to this.
The OAuth-based authentication providers in Firebase Simple Login use pop-ups (via window.open(...) to initiate login flows, and window.postMessage to safely communicate between the two frames.
In order to enable these social, OAuth-based providers in Firebase Simple Login in the Trigger.io environment, there are a few steps:
Ensure you're loading the latest Firebase Simple Login client from the Firebase CDN, at https://cdn.firebase.com/v0/firebase-simple-login.js.
The Trigger.io environment support does not require an authorized domain configuration in Forge, but still will require that you configure your Facebook / Twitter / GitHub application to use the appropriate https://auth.firebase.com/auth/... redirect URL, as documented.
Ensure that any required Trigger.io JavaScript libraries are included (the forge global variable should be set in your application - test with console.log(forge) in your client code).
Lastly, and most important, the Trigger.io Tabs Module must be enabled in your application config.

Resources