In my frontend, the user logs in using Firebase Authentication Browser. That part works perfectly fine. In addition to Firebase backend, I also have NodeJS backend that serves additional content. However, I need to serve the content to only Authenticated user.
My question is: Is there a way for my NodeJS backend to know that a user has been authenticated when they make a request?
An authenticated client is issued an ID token that uniquely identifies the user. The client can get this this token using the provided API. Then, it can pass that token to external APIs, which is verify the token using the Admin SDK.
Related
I am a nodejs developer who is currently collaborating with a front developer using react native.
I'm doing social login (Google, Kakao, Naver) in the mobile app, but I don't know who should implement which part of the back or front.
What I am trying to implement is:
Google, Naver, Kakao login
Store user information (email) in database
I think the process is, for example:
If the front implements login and access token issuance through SDK and passes the access token to the backend, it reads user information, stores it in the DB, and passes it back to the front
The frontend reads login, access token issuance, and user information and delivers it to the backend and stores it in the DB
When you log in from the frontend, when you are redirected to the backend with an authorization code, the backend issues an access token through the code, prints user information through the token, and delivers it to the frontend.
In the backend, use the npm passport module to handle login screen, issuance of access token, and output of user information (Is this an appropriate method in a mobile app environment other than the web?)
In which direction should I proceed?
I'm developping a flutter application, and I want to use firebase just for authentification, and use NodeJs for all other backend service (content filter by users).
I don't know if that possible, if It possible, how to validate if someone has logged in or not.
Yes, that is totally possible and supported.
Once you've signed the user in, you'll need to get their ID token and then pass that to your backend through a secure connection. On that backend you can then verify if the ID token is valid, and determine what the user is authorized to do to your custom backend.
I wrote Local Authentication Logic in Node, Generated a JWT and will send it to Angular App on Login.
In Angular, As soon as user Logs in with Correct Credentials, I then set the JWT in Local Storage!
In Angular I just check whether there is token in localStorage upon different route navigations. But how do I validate the token ??
If Iam changing the token from 'xxxxxxxxxxxx' to 'yyyyy' even then it's working since I am just checking whether there is token available in Local Storage.
How do I overcome this issue. ?
I knew about Headers. But those work only for API Calls, I simply want to restrict the user entering into protected Frontend Pages with invalid token.
I have a REST api and the authentication is done using jwt tokens. To make may api more secure (users and authentication mechanism) I would like to use firebase authentication. I would like to know can we use firebase as a authentication server for my REST APIs.
My understanding is that the client app will send the username and password to the firebase server and they will provide a token. Using that token client app will send an api call to our server. I need to integrate firebase admin SDK in my server and validate the token using admin SDK to get the data from my database.
Please correct me when I am wrong.
Also, i have a concern that how to manage refresh tokens to keep my app logged in.
Please help me to integrate this in the right way, and I am using nodejs/expressjs to create the APIs.
can we use firebase as a authentication server for my REST APIs.
Yes, it's one of the services they provide: https://firebase.google.com/products/auth/
My understanding is that the client app will send the username and password to the firebase server and they will provide a token.
Correct. The usual Firebase auth is done entirely client side.
But if there is a specific auth mechanism you need such as LDAP/AD or some other form of enterprise shenanigans, then you would need to create your own tokens that the client will use to authenticate: https://firebase.google.com/docs/auth/admin/create-custom-tokens
Using that token client app will send an api call to our server.
Correct. Once the client has successfully logged in and retrieved their ID tokens, you on the server side need to verify the ID token: https://firebase.google.com/docs/auth/admin/verify-id-tokens via middleware.
Also, i have a concern that how to manage refresh tokens to keep my app logged in.
You need not worry about that so long as the client uses the appropriate method to retrieve the ID token. For example, on the Web side the client would call: https://firebase.google.com/docs/reference/js/firebase.User#getIdToken which states (emphasis mine):
Returns the current token if it has not expired, otherwise this will refresh the token and return a new one.
As you can see, the client side Firebase SDK handles everything for you. There is no need for you on the server side to keep track of ID tokens, refresh tokens, or anything really. All you need to do is verify the token, that's it.
Please see my previous answer for more details on server side verification: Firebase authentication using NodeJS
I am building up the typical SPA web site with Node.js backend.
It authenticates the user by Firebaseui-Web.
How can the Node.js(express.js) identify the login user of the request Web API?
It seems like it uses token but I cannot find the sample codes.
Many Thanks,
With SPA applications, it's not hard. Every time you have an XHR, you call firebase.auth().currentUser.getIdToken() which resolves with the user's ID token and you pass it along with your request either in the header or postBody request.
On your backend, you get the ID token if present and verify it using the Firebase Admin SDK node.js library via verifyIdToken. When verified, you get the payload claims identifying the user and return the relevant information for that user. Otherwise you consider the user signed out.