I am building a REST API in node.js which needs to use Flutter and a React web app as their clients. The problem I'm facing is that I'm not sure where to handle the authorization. Both Flutter and React have a prebuilt "UI" from Firebase that doesen't even need to be connected to the backend. But also there is an option to just take the password and email from the forms and send them to my API which sends them to Firebase via a post request. The flow should be this, a user signs up with Firebase and is created, while that is happening he is also being "signed" up on my API so I can append and store data in his account.
I only need Firebase as an authorization layer, I feel that at this point in time I can't build anything comparable in terms of security when it comes to the authorization.
If you want to work with Firebase Authentication accounts on your backend, then you will need to use the Firebase Admin SDK to manage users. In particular, what you need to do is have the client app send the ID token provided by the SDK and verify the token so your backend can do things on the user's behalf.
I would recommend you to avoid implementing integration with Firebase in the client side, and do it only in the server side. You can use Firebase-Admin to integrate with Firebase in your node.js server. Then, the sign up/in request will be via your API.
In this way, your clients don't depend on 3rd party and all of the library updates should be in your server.
Related
I have a client side React application which currently gets access of the current authenticated user through this:
const unsubscribe = onAuthStateChanged(auth, (user) => {
setCurrentUser(user);
});
Also we have realtime database rules in certain parts like
request.auth != null
Now, I'm planning to shift the firebase part to a NodeJS + express server.
For this I have installed the firebase SDK in my server. But is it safe to use the normal authentication functions from firebase SDK?
In client side app, only one user object could exist at a particular time. Whereas, in the server side, there could be several requests for authentication at the same time.
Also, even if I do the authentication, how am I going to send authenticated requests to perform CRUD operations on my realtime and firestore databases?
Note: I've heard about the firebase-admin SDK, but have also learnt that it's immensely powerful. That's why I want to avoid using it. If I have to use it, what is the right way to do so?
The recommended approach is explained here in the Authentication doc.
And yes you need to use the Admin SDK on your Node.js backend server.
Basically the mechanism is the following one:
You keep the user authentication in your React app, in other word you call the Firebase Authentication service to sign in the user (with the JavaScript SDK from your web app). Firebase creates an ID token that uniquely identifies the user. See this section.
Then when the app interacts with your Node.js backend server you can send that ID token (a JWT) to your backend and validate it using the Firebase Admin SDK. The verifyIdToken() method is used to verify an ID token, as explained in this section. The method returns the decoded ID token from which you get the user's uid.
With the user's uid you can query your Realtime and Firestore databases for the data corresponding to the user (again with the Admin SDK).
IMPORTANT: Note that the Admin SDK totally bypasses security rules. So it's up to you, in your Node.js code, to manage the access to the data corresponding to the user.
I am working on an existing Next.js web application, and I would like to add the DocuSign Node.JS SDK to use the JWT Auth and generate a token for my front-end application. The Next.JS app is hosted on Vercel, which can run serverless functions.
I am having trouble building the Node.JS endpoint to obtain the JWT Auth token to call the esignatures API. Does anyone know how to integrate the JWT Auth workflow into a Next.JS/React.JS application with serverless functions?
The DocuSign Node.js SDK is currently designed for server side use only.
To use the DocuSign API from the client (browser):
Only the Implicit grant flow can be used from the browser due to restrictions in the OAuth standard.
If the user of your application does not have a DocuSign account (eg the user will be a signer), then you have two options:
using JWT grant auth on a backend server, acquire an access token for a "system user" such "hr#example.com". Use this access token to create an envelope and the signing ceremony (for embedded signing). Or use the access token as needed by your app. If the app includes a (non-DocuSign) login, then you can pass the access token to the browser and make calls from it.
use the PowerForms API if it meets your needs
To make API calls from the client, you will need to build a CORS forwarding proxy since DocuSign doesn't yet support CORS natively. And to make the API calls themselves, call the API directly since no SDK is available at this time.
I have one question about firebase auth. I have a nodejs server api and a react web client application and i want to implement auth with server-side session cookie management.
I've been following the Firebase documentation and saw that they advise implementing client-side authentication and my question is why this should be the case?
I want to handle all the server side authentication and abstract that logic from the client. The client sends email and password and then on the server authenticates with the firebase SDK library and then exchanges it for a session cookie.
Is there any negative point that I am not seeing to do it like this? What are your recommendations on this?
Thanks!!
Doing this with the Node.js client-side SDK on a server, is similar to calling the REST APIs. It can definitely work, but you're going to be missing out on a lot of functionality of the SDKs, such as automatic caching of tokens and credentials, and automatic refreshing of ID tokens. But if that's what you want, it is possible. After all, that's precisely what the Firebase SDK also does.
I'm trying to create an API for our app using Express.js endpoints that connect to our Firebase Cloud Firestore database. A main component of responding with the requested information securely is authentication, and we want to be able to make it as straight forward to the users as possible. For example, by them simply sending an API secret key on their requests.
My issue is that all of the authentication mechanisms that Firebase seem to provide require that the client is authenticated with the Firebase SDK, which would be uncomfortable for us to ask users to install.
In short, is there any way that they can either create a firebase token without the SDK or for us to authenticate them securely with an API key on our end? Note that the connection to our API would only be done through our user's back ends, never front end clients.
Thanks!
See:
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.
To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS, Android, web). Once authenticated, this identity will be used when accessing other Firebase services, such as the Firebase Realtime Database and Cloud Storage. Furthermore, the contents of the JWT will be available in the auth object in your Firebase Realtime Database Security Rules and the request.auth object in your Cloud Storage Security Rules.
You can create a custom token with the Firebase Admin SDK, or you can use a third-party JWT library if your server is written in a language which Firebase does not natively support.
I am currently developing an API project using ClaudiaJS API Builder to build and deploy it on AWS Lambda with it's endpoints exposed on AWS API Gateway. I am planning to have at least a webapp and a mobile app for this platform, so I'm focusing mostly everything on API's, including the authentication methods(signup, signin, logout, verify account, ect.).
Unfortunately, as I am not using Express in this project, I can't find a good way to build these auth methods since every library I find has some dependency on Express (e.g PassportJS).
My initial thoughts for the login workflow are:
User submits login form containing user/pass stored in PostgreSQL
DB.
Front app calls auth API.
API method compared credentials against the user DB (Using BCrypt).
In case of success, API method generates JWT containing a few user details on it's payload and returns to the consumer app.
Is there any good approach for achieving this goal without using Passport and/or Express? Are there any other libs for this purpose or should I just use a regular db query and generate a JWT in case the evaluation succeeds?
Thanks for everyone in advance.
Best regards,
Enrico Bergamo