Authenticate user without using angularfire - node.js

I am working on an application in which i need to authenticate user. I am using firebase for database. I have used node.js for getting data from firebase. Now all i want is to create login page and in that i need to authenticate user by their email address and password. And i want to use the same method how i am fetching the data that is using node and i don't want to use angularfire for the authentication. Is it possible to perform? If it is can you please share how can i accomplish that?

Authenticating from a server-side process with the Firebase 3.x SDK requires the use of a service account. From the documentation:
When you authenticate a server, rather than sign in with a user account's credentials as you would in a client app, you authenticate with a service account which identifies your server to Firebase.
If you want to custom handle the authentication of your users, you'd create a custom token for your users on the server and then have them pass that to Firebase.
In general I'd recommend reading this article about common application architectures when using the Firebase Database.

Related

How to authenticate user and send authenticated requests from client to server side in Firebase realtime database?

I have a client side React application which currently gets access of the current authenticated user through this:
const unsubscribe = onAuthStateChanged(auth, (user) => {
setCurrentUser(user);
});
Also we have realtime database rules in certain parts like
request.auth != null
Now, I'm planning to shift the firebase part to a NodeJS + express server.
For this I have installed the firebase SDK in my server. But is it safe to use the normal authentication functions from firebase SDK?
In client side app, only one user object could exist at a particular time. Whereas, in the server side, there could be several requests for authentication at the same time.
Also, even if I do the authentication, how am I going to send authenticated requests to perform CRUD operations on my realtime and firestore databases?
Note: I've heard about the firebase-admin SDK, but have also learnt that it's immensely powerful. That's why I want to avoid using it. If I have to use it, what is the right way to do so?
The recommended approach is explained here in the Authentication doc.
And yes you need to use the Admin SDK on your Node.js backend server.
Basically the mechanism is the following one:
You keep the user authentication in your React app, in other word you call the Firebase Authentication service to sign in the user (with the JavaScript SDK from your web app). Firebase creates an ID token that uniquely identifies the user. See this section.
Then when the app interacts with your Node.js backend server you can send that ID token (a JWT) to your backend and validate it using the Firebase Admin SDK. The verifyIdToken() method is used to verify an ID token, as explained in this section. The method returns the decoded ID token from which you get the user's uid.
With the user's uid you can query your Realtime and Firestore databases for the data corresponding to the user (again with the Admin SDK).
IMPORTANT: Note that the Admin SDK totally bypasses security rules. So it's up to you, in your Node.js code, to manage the access to the data corresponding to the user.

How to create a secure API using Firebase Auth without installing Firebase SDK on the client

I'm trying to create an API for our app using Express.js endpoints that connect to our Firebase Cloud Firestore database. A main component of responding with the requested information securely is authentication, and we want to be able to make it as straight forward to the users as possible. For example, by them simply sending an API secret key on their requests.
My issue is that all of the authentication mechanisms that Firebase seem to provide require that the client is authenticated with the Firebase SDK, which would be uncomfortable for us to ask users to install.
In short, is there any way that they can either create a firebase token without the SDK or for us to authenticate them securely with an API key on our end? Note that the connection to our API would only be done through our user's back ends, never front end clients.
Thanks!
See:
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.
To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS, Android, web). Once authenticated, this identity will be used when accessing other Firebase services, such as the Firebase Realtime Database and Cloud Storage. Furthermore, the contents of the JWT will be available in the auth object in your Firebase Realtime Database Security Rules and the request.auth object in your Cloud Storage Security Rules.
You can create a custom token with the Firebase Admin SDK, or you can use a third-party JWT library if your server is written in a language which Firebase does not natively support.

Firebase Authentication mixed with cloud sql

I'm developing my first app with firebase auth and Google App Engine, and I'm wondering how should I do some things.
For example: My architecture will be in Google App engine, and I'm using Cloud SQL to store data (using sequelize). The app is developed with node.js and express.
The problem is I want to use firebase auth to make login easier.
Everything for that is done client-side so.... is there any example on how should I use firebase Auth and how should I authenticate my request to my API in order to get which user it is on every request?
Maybe forward the token to the API? and then getting the info?
Thanks for your help.
There are definitely examples of this. What you'll want to do is look at the documentation for the Firebase Admin SDK, which is the SDK that you can run on trusted environments (such as App Engine) to perform actions that require administrative access.
In a typica scenario you'll use the Firebase Authentication SDK to sign the user in in the app, and then pass the ID token to your App Engine back-end. There you'll validate and verify the token, and then perform whatever actions the user is authorized to perform according to your rules.
If you'd be using a Firebase database (either Realtime Database or Cloud Firestore) you would be able to pass the token along and enforce authorized access in Firebase's server-side security rules. But since you're using Cloud SQL (which isn't aware of Firebase), you'll need to enforce your authorization rules in your own App Engine code.

Can I use my own custom authentication service in Firebase?

I want to create chat application using Firebase. I have the backend done in micro-services.
I also built an authentication API micro-service that allow the user to login/register and other. That service is built in Node.js and Mongodb using JWT tokens.
I am not that familiar with Firebase, all I know that you can you their auth/authorization service.
Will it be alright to use that micro-service in Firebase?
You can use the Firebase Admin SDK to mint a token that Firebase Authentication can then use to authenticate your user.
See the Firebase documentation on minting custom tokens for an example.

How to implement Oauth2 Provider in REST Api Server?

I am developing REST API Server in Node.js and it is almost Ready. Now I am trying to implement Authentication to API server. I decided to use OAuth2 for this. I think I will be Using grant type password, as most of the Apps that will use my service will be under my control.
There are some modules available https://github.com/jaredhanson/oauth2orize, I am confused on storing access token for the authorised users and mantaining sessions. As this is REST server do i need to mantain the Session, Or should i just store active tokens and related users to db and check for each request if they are valid or not?

Resources