A lot of applications, be it a mobile app or a web app have some form of authentication. If you've worked on various apps, handling authentication ...
For further actions, you may consider blocking this person and/or reporting abuse
Really great article. Learned a few things.
What strategy would you recommend we use to securely pass the user's password to the create user Route?
Would just hashing with a salt and always checking against that suffice?
Just pass the raw password to firebase auth. Firebase auth will take care of the hashing
But aren’t we sending a post request to the router? Is it a security issue at all to send the plaintext password in a post request?
I understand that Firebase takes care of the password hashing, but isn’t that generally done client side?
Thanks for helping me understand.
Hashing passwords on the client before sending them to the server? Not necessary.
Even if you are handling authentication yourself, you should still hash your password on the server.
I assume your concern is someone stealing your password, if your app’s security is compromised, then they can also steal the hashed password you are sending through the client. So there is no point really.
Would one benefit of hashing client side be that, if the app’s security were compromised, then the user’s real password wouldn’t leak?
Sorry to be overly pedantic here I’m just trying to learn.
If your authentication logic depends on the server authenticating an already hashed password from the client, then all a hacker needs is that hashed password from the client, the real password isn’t useful to the hacker at this point.
If they have a plain text password I entered and I am a normal user, wouldn’t the thought be that I’ve reused this email / password combination elsewhere?
Yeah, but if every app did authentication the same way you are suggesting then their hashed password is still all that will be needed in a case of compromise. Your client code can be accessed on the browser so your hashing algorithm isn’t really hidden. My advice to you is just always have ssl.
Hope this guides you.
stackoverflow.com/questions/371592...
Thanks for taking the time to answer these quandaries.
Last one: even if an attacker has both access to a hash and the hash function, if that hash function is secure, they still can’t reverse that to get the password, correct?
No they can’t
There are, I think, ways to mitigate this kind of hash re-use. And I think Michael is right about there being some security advantages to interception of a hash vs a plaintext password.
Ideally a variable-salted hash of the passphrase would be signed by a given client's private key specific to the user, the same one used for a mutual TLS session.
It could still be intercepted via a MITM attack, but the attack might then give evidence of tampering.
I see what you mean, the password is being sent from Client to Server to Firebase Server but as far as I know it's not necessary to hash it at any point.
Hashing is done when you want to store the pass, not send it in HTTP methods.
what is "setUserClaim"? As far as I can tell it only exists in this article.
For assigning roles to users. You can read more on the firebase docs
firebase.google.com/docs/auth/admi...
Seems they use setCustomUserClaims, not setUserClaim?
Thanks for pointing this out. Corrected the typo.
Thanks, also it seems like on your frontend code that
firebase.initialize(config);would now beinitializeAppinstead ofinitialize;For a WebApp atleast.
Thanks for pointing that out. Will correct it
Sorry but,
When you do:
return axios.get('https://your-api-url/articles', {headers:authorization: 'Bearer '+ token})
You missed a bracket or two, and have not put authorization into another object inside headers. It should probably be
return axios.get('https://your-api-url/articles', {headers: {authorization: 'Bearer '+ token}})
Thanks again
also, auth is a function
auth().setCustomUserClaims🙃
How can i refresh token when expires
Firebase handles that for you, just call the
getIdTokenfunction when you need a tokenhi i am having trouble with the token because it only live for 1hour. My question is if i call 'getIdToken' on every request, can this cause a performance issue or will it billed me much on firebase ? Thanks
You definitely won't be billed more and I haven't had any issues with performance because the request is really fast.
@emeka , Can you add to it?
Firebase handles that for you, just call the getIdToken function when you need a token
this is not 100% correct, to force firebase to refresh the token you need to add a true in the function
getIdToken(true)otherwise you get the same token until it expire.Why did you chose to use
_over request orreq?Just curious.
I think that’s also a paradigm in python for kind of saying, “I have to declare this variable but it isn’t used.”
Just something about parameters that i have to specify and not use
Awesome! Thanks for response
Great and useful article. Out of curiosity why did you opt to use the asych/await instead of the following for the checkIfAuthenticated method? Do you see any issues with this alternative?
checkIfAuthenticated = (req, res, next) => {
getAuthToken(req, res, () => {
try {
const { authToken } = req;
admin
.auth()
.verifyIdToken(authToken)
.then(userInfo => {
req.authId = userInfo.uid;
next();
})
} catch (e) {
return res
.status(401)
.send({ error: 'You are not authorized to make this request' });
}
});
};
This is a perl I looked for!
I can think of just one minor drawback (subjectively). On FE side you use http for sign-up, which is great, but simultaneously on FE you use firebase auth for sign-in.
When your system decides to migrate from firebase auth to whatever by any reason you will have to make an effort on both FE & BE. Wouldn't it be better to hide auth gateway on the BE, and only allow FE to communicate with your BE endpoints consistently?
What would be the correct way to also include social login like facebook or google?
I'm thinking creating a cloud function that runs whenever a new user is created that communicates with our server to add user to db, and then add the auth().signInWithPopup(prvider) function on the frontend.
However I'm not entirely sure since I'm kind of new to firebase and never really thought to integrate firebase auth on a separate server.
Would this be the correct way to go about implementing this?
I want to implement the same.
Did you successfully implemented it?
Hello! Really, appreciate this succinct guide. Any chance you have repository containing this?
Nice article.
Good Article. Thanks!
How do we avoid sharing app secrets with the client for initializing firebase with our configurations. Do we just use firebase auth and access token?
hey im trying to generate auth token on client side.
but im unable to do so, your one line code to generate token is not working.
please help!
This is really simple and easy to understand! Thank you!
Great article. Thanks mate.
Hey! I am working on the backend separately, is there a way to generate a token so that I can test the API with postman?
How do I create an admin User
I dont think you are allowed to set custom claims while you are still creating a user. Create the user first, then set a custom claim.
Is there an accompanying repository for this article?
There isn’t
thanks!
Great stuff! Do you have a link to the github repo?
Nice article, i have a question is there a way i can log users in on creation of account.