I was wondering which one would be better, Authentication with Firebase or a database in Firebase. This is the general idea of my project, and I was wondering which one would be best:
I am creating an companion to a game, and this app can be registered to users, or a Clan which is a group of users. I need to group the users into their clans if they choose to do so, so I am guessing the database is better. But, Firebase Authentication seems like an easier process. Is a database better? Also, users will register online with my website, so it can be easier without a register process in-app.
Thank you for reading my post and hopefully for answering it!
-Braythor
You can have users Register/Login using the Firebase Authentication and when they do that you add their username to the database to be able to the group them by clan under different nodes in firebase.
Not sure if this is what you were asking, but you're right that using Firebase Authentication to have users register is easy, so this implementation would allow you to do that while also grouping them by clan in the database.
Related
I have a project where one app needs to access multiple databases sharded across multiple firebase projects. Now since it's the same app, i can't use the same SHA1 across all the projects where i add the app.
I do not add any google-services.json files for any of the projects, instead i fetch the database url, the storage bucket info, the api-key and the appids for each project from my own server which keeps a track of all the sharded firebase projects.
My question is, with just this much information, can anyone just authenticate to firebase?
There's no SHA1 protection so is my db even safe even with the auth!=null rule? (since anyone can initialize FirebaseApp with this info and get a FirebaseAuth instance and sign in anonymously). In summary for this one, can anyone just make an app of their own, use the info and access/manipulate my database?
How can i secure my app if it's not secure with the current configuration
Yes, that should be enough information to create a web app that connects to your database.
But this should not be a problem if the database rules and auth providers are the right ones for your case. For example:
If you don't want anonymous Users to authenticate with your app, disable the option in the Firebase console.
If you want to give access only to a limited set of users without enabling new signups (or if you have special requirements for auth) then user a custom auth provider.
If you want to limit access to certain parts of your database (or need different user roles) adjust your database rules.
I hope that answers your question!
After a little research and a little brain storming, i came to the conclusion that Oauth domain which by default is localhost and the firebase-app domain will prevent anyone from directly authenticating to my Firebase app.
Even if the api-key and other info is exposed, as long as the service-account is hidden, the auth-domain will protect my app since the auth-domain will cause the authentication from a non-authorized domain to fail. Maybe I'll even want to remove the localhost in production :)
I am working on something where I have two apps - one for a 'Requester' user and one for a 'Responder' user, and I am currently using Firebase for Auth. The users sign in with email/password combinations and this is the root of the problem:
The problem is with user collisions - because the auth module is hooked up into a single project in the Firebase console, a responder can technically log into the requester app, and vice versa, which results in issues because well, the back end conks out - the API doesnt allow them access because the DB doesnt find their data in the tables, and the apps behave erratically (read: crash).
I understand there are similar sounding questions (Android - Firebase - Different types of Users Login) but what I would really like to ask is if there can be some way I can avoid this nasty situation. Some options that come to mind are:
do a manual check in the db and log the user out if they are not of the right type - can be done but is tedious and costs data/time.
create different projects in Firebase just for each user type - this is inefficient - while I use Firebase for auth, I use Mongo for storage so this doesnt really matter but if/when I switch to Firebase for storage, then my server code will get complicated, slow and messy from having to access a different DB each to access requester and responder data
roll my own auth - feels like a bad idea, but it helps solve the immediate problem while opening a different can of worms as I also need to implement Firebase Cloud Messaging down the line
switch to another auth provider - I'm open to suggestions here
I also anticipate a scenario where a responder could create an account and use the requester app as well, in which case the collision occurs and needs to be addressed - I could ban responders from using the same email ID to sign in as a requester but that may not hold up to real world scenarios where users could (and will) want to use one email ID for everything.
Can anyone help me with the right approach to take and/or with any hints/solutions to this problem?
----- EDIT ON 14 DEC 2017 --------
I also have two apps listed under the same project (screenshot attached), so my next question is, will there even be a clash when a requester user tries to sign in/sign up as a responder or vice versa?
Consider using custom user claims and enforcing access via the Database rules or if you are using your own endpoints, by parsing the ID token and checking its claims. The Firebase admin SDK provides tools to do that: https://firebase.google.com/docs/auth/admin/custom-claims
Firebase Auth team is also working on exposing these claims to the client too to simplify UI changes needed there.
I have recently been learning Firebase for my salon app. I successfully use Firebase for authentication (Facebook, Google, Email) and now I am planning to continue to use Firebase Realtime DB for my app.
My app will cover member registration, reservation, services list, employees and transactions (treatment). Unfortunately, I am stuck and confuse at creating my data structure. I have no experience in NoSQL and I also could not find any complete db/data structure sample of one app (especially one that include transaction like e-commerce).
Please help give me any samples if you have or know so I can have better picture for my app. Thank you.
I can't seem to be able to implement firebase custom auth. I'm new to programming and I cant find any reference to create custom auth from scratch. My application is android based social report.
the following are my use cases :
I need an admin to manage the data (CRUD the report)
Normal user to post reports
I did some research.
Based on what I've read, I need to create custom auth to differentiate normal users and admin.
I don't know the proper way to implement my auth server. I'm thinking of putting my users data (admin and normal user) on firebase. Is it viable? Do I need to create a separate database of users on my auth server to verify the auth? Can you please explain the workflow of firebase custom authentication?
From the terse description you've given, it doesn't sound like your regular users need custom auth. They can just as easily use email+password or one of the supported social providers to authenticate. Given that you indicate being new to programming and the fact that getting authentication right is hard, I highly recommend not building your own authentication for these users.
Whether your administrators require custom authentication tokens is also debatable. From what you tell about their tasks, they are application administrators: users who fulfill a special role within the application. Those you can easily model in your Firebase security rules. As for regular users, if you can use a built-in identity provider for these administrator, it significantly reduces the chance of introducing a security hole.
I started learning about Firebase for an android, but still can't get my head around some stuff, so I have couple of questions that I would love your help to answer.
1 - Can a user (or a hacker) know my firebase link from the app?
2 - if they did, will they be able to change my stored data without knowing my google email address associated with the database?
Thanks
Unless properly secured, anyone can read or write data to your Firebase database.
To secure your Firebase database you need to write Security Rules.
Firebase Security Rules live on a Firebase server and validate whether someone can access your data.
You also might want to check out this answer too for a beginner explanation.