How to secure client -> backend on firebase NodeJS - node.js

I'm building a bot hosted on Azure and using firebase for cloud functions (ie proactive messaging, collating data etc.) and for cloud firestore db.
Sorry as I'm a bit new to security and please feel free to just link to any useful resources on the below.
Within my bot code I'm using the admin SDK to access firebase. The bot will have no created users. Firestore rules therefore block read and write access to everyone (as admin SDK still has full access).
I have a couple of questions about security:
Is using the admin SDK in this manner (on the bot side) fine? It looks a bit mixed on the firebase documentation - ie https://firebase.googleblog.com/2019/03/firebase-security-rules-admin-sdk-tips.html mentions only using these in trusted environments, which I think the bot should be?
Secondly I am trying to send messages from cloud functions to the bot itself. This will just be a post with no sensitive data attached but I would like to authenticate this on the bot side to check it is from the backend. Is there a way to use firebase to do this (ie authenticating on client?). How else can I do this? I've been a bit confused reading about JWTs and encoding etc.
Thanks

Is using the admin SDK in this manner (on the bot side) fine?
It's totally fine. You don't have security rules there but Cloud functions (or servers) are secure environments so no one can reverse engineer that. You should validate the incoming data yourself. If I assume you are using Discord.JS, then you can just read ID of author and authorize the user:
const {id} = message.author
// use this ID as an identifier
You don't have to worry about the ID being false as it's not being passed by any client. Just make sure you fetch resources of that specific user only.
I am trying to send messages from cloud functions to the bot itself. I would like to authenticate this on the bot side to check it is from the backend
You don't need to validate that. Anyone can send message through your bot only if they get your bot's token which is a secret on server/cloud function. You must make sure only you have it.

Related

How to use email authentication in Firebase using Node.js

I'm trying to use the Firebase authentication service by email and password for my App.
I've noticed there are two SDKs, Client and Admin, both of them have methods to create a new user.
I've also noticed that only the client SDK has method to validate the user email and to return the new user's token after creation.
The two SDKs made me confuse regarding the way I should use this service so I have few questions:
Should I create a "signup" route in my server and use the Admin SDK or I should use the client SDK?
If I use the client SDK for signing it should be in the server side or in the client side?
How I can verify the user email using Firebase "Email address verification" template?
If someone can give me some guidelines.
The Firebase Admin SDKs are meant to run in a trusted environment, such as your development machine, a server you control, or Cloud Functions. They run with elevated, administrative privileges, based on a service account that you specify when initializing them. As such, there is no way to sign a user in with an Admin SDK, even though they indeed (as you noted) have the ability to create user accounts.
The client-side Node.js SDK is meant to be used in non-trusted environments, like for example IoT setups. This SDK indeed allows you to sign in as a specific user, and this information is then passed when you call other Firebase APIs from within the Node app.
Which of the two you should use depends on the use-case, which you're unfortunately not describing. Without that, the above is the best guidance we can give: if your code runs in a trusted environment, use the Admin SDK; otherwise use the client-side SDK.

Is it safe to use Firebase Admin sdk in dialogflow fulfillment when dialogflow talking to 3rd party services?

I'm using google dialogflow to make a whatsapp chatbot. I need to access firestore which contains sensitive data in other collections.
Admin sdk is usually used in cloud functions but since it can access any collection in firestore with ease, i wanted to know if it is safe to use it or should i opt for a different option such as firebase client sdk.
Dialogflow is linked to a third party service (QuickWork) which links my bot to Gupshup to use the whatsapp business api.
You're supposed to use backend SDKs, such as the Firebase Admin SDK, in Cloud Functions (which is considered a backend). The web client SDKs are not really designed for backends, and there is not much of an advantage of using them over the the backend options. The client SDKs are used in client apps when you need the currently authenticated user to have restricted access according to security rules.
There is nothing really "unsafe" about the admin SDK. It's only as safe as the code you write that uses it.

How to use Firebase Auth to register/login/mint token but Mongodb for everything else?

--First time poster, mods please let me know if the question is inappropriate/incorrect--
Situation:
I'm working on an app with friends. We have a dedicated frontend layer and a dedicated nodejs server running MongoDB. I am trying to integrate firebase into our server layer so we can login users and handle minting/verifying/refreshing tokens using Firebase Auth.
Problem:
I'm completely lost as to how to use Firebase Auth for this purpose. I've looked through the docs extensively, I first went down the "Getting Started with Firebase on an App", until I realized (I think) that guide was specifically for web applications without a dedicated backend.
Then I looked more into Firebase Auth Admin, which looked more like what I was looking for. I tried messing with custom token creation and other authentication related matters but I fail to be able to log in.
I reached out to friends for help, they recommended getting local login/googleauth working End-to-end using firebase before trying to secure our tokens moreso than they already are.
I'm very lost and not sure if I'm misunderstanding something fundamental or just not applying the right things. I apologize if this is unclear, I'm just trying to allow email/password login using firebase auth to securely authenticate with my MongoDB data (if that's even necessary)
Any guidance would be appreciated!
You're absolutely right with your approach and its possible to use Firebase Auth for just login/signup and rest of all on mongoDB.
There are 2 ways u can implement the Firebase Auth-
Using the sdk provided by Firebase
Using the Admin Auth API
Which ever way you selected, Later on save your UID on your custom Backend (Which is backed by MongoDB)
Just create your API's to verify user identity.
If you're using NodeJs you can follow this tutorial.

How do I lock down Firebase Database to any user from a specific (email) domain using the new firebase cloud functions?

Without cloud functions, it appeared that it required a app server to securely limit signups for a firebase app by email domain according to this old question: How do I lock down Firebase Database to any user from a specific (email) domain?
The goal is to allow only signups from a specific domain or set of domains using google authentication and/or other auth providers.
Now that we have firebase cloud functions how can this be accomplished without an app server?
From the Introduction section of the Firebase Functions page:
Firebase SDK for Cloud Functions integrates the Firebase platform by letting you write code that responds to events and invokes functionality exposed by other Firebase features.
The keyword being responds. The Firebase functions are only meant to react, not prevent, so to speak.
If you picture the scenario of a user signing up, your functions would only fire after a user has been created (functions.auth.user().onCreate). By that measure, if you were to do this with Firebase Functions then you would have to delete the user after it was created, making your client side logic really messy.
The rules that Josep directed you towards is the correct solution. They will actively prevent any signups from a given domain.
I hope this clarifies a bit, even though it might not have been the answer you were looking for. :)

Share AccessToken between AngularFire2/Firebase and NodeJS

I feel like I am wanting to do something that is either easy, or very wrong. Not sure which one yet.
I am wanting to build an application that is backed by Firebase for:
Authentication
Realtime Database
I will build an Angular2 Front end Single Page App using AngularFire2. Using AngularFire2, the user will authenticate using GoogleAuthentication provider. The Angular2 app will interact with the firebase realtime database directly under most cases.
But I have some cases that I want a NodeJS/Express REST API layer todo more complex business logic and interact with FireBase Database. What I want to have happen is when the user authenticates with AngularFire2 that the accessToken can be used on the API calls to NodeJS in the HTTP Header. Then inside the NodeJS Firebase SDK I just authenticate using that token.
How would you go about doing this? I've been digging through documentation for a while now and still haven't figure it out.
Took lots of digging, but I found the solution. I hope this is a useful thread for others to find.
The accepted answer at: Answer gives a good lead to this. Specifically look at:
Authenticating your privileged workers
Emulating users or limiting access from a server process
Validating client identity via security

Resources