i'm creating an android app, which requires some authentication system. I want to have 3 options to log in users: mail&password, facebook login and anonymous access (in case of anonymous i'll create some kind of anonymous account, so user'll be able to give his credentials later and secure his account with 'normal' password).
I'll also have my own webservice for this app. Webservice is in fact the most crucial part and android app will just show data from WS and put some new data on it.
I'll be using Firebase for handling notifications.
My question is: should i use Firebase authentication in this scenario or maybe it's better to stay with own authentication system? If i use Firebase i still need to have users in my database (webservice requires some info about users).
Is firebase authentication good choice for project like that?
Even in the case of Firebase where we use firebase authentication and the firebase database together, only a few details of user(user id, login email or number, provider details etc) are available under the Authentication tab. The rest of the details we receive after login and other custom user information we collect from the app have to be saved in the Firebase database.
So even if you have another Web service instead of using Firebase Database, you can use Firebase Authentication. There are definitely great advantages if you use Firebase Authentication.
Save time on developing Webservice methods for authentication :
Instead, you can just have a method to store user information after the user authenticates with Firebase. Also, there is considerable time saved since you can avoid developing server-side methods for different kinds of token verification in case you want to add social logins like Facebook and Google.
All that will be handled efficiently with Firebase.
Detailed Analytics: Also with Firebase authentication, you can also get good analytics and demographic information of users.
You don't have to use Firebase authentication in order to use FireBase Push Notifications, Invites, etc.
That's one of the beauties of Firebase; you can choose which service to use.
Since everything is built already, I would continue to use your own Auth system
You can save all users, and you can authenticate with Google, Facebook, only email.
It's like a database online and it's easy to connect with the same at Android Studio and after you can login with the users.
Related
I have implemented an Android application where the user can register to a webserver and log in with an e-mail address and a chosen password to the app. In the app, the user can use all the app features. One feature should be a chat application.
I thought about realizing the chat app with Firebase Realtime Database. To protect the access, I thought about authentification as an access rule for the database. In general, the registration would be linked to the Firebase authentication. As I have my own registration and login, I would like to ask if there is an option to use my own login data for authentification. And can it be linked to the Firebase Realtime Database?
As I have my own registration and login, I would like to ask if there is an option to use my own login data for authentification. And can it be linked to the Firebase Realtime Database?
You can use your own authentication, but if you want to sign in to Firebase, you need to create a custom token. Once you do that, you'll be able to write security rules.
I have an app which is already published on the play store and uses some firebase databases whose security rules are public. So in order to make the rules private and fit in the security rules. I would have to implement Firebase Auth.
So my app login flow works as in identifying the user with their phone number OTP verification.
First, I don't want the user to change their login flow. Like I don't want to integrate Social Login.
So is there a way I can use Firebase Phone Auth to my existing flow and get the uid of the user so that in the Firebase DB rules I can use that uid for my auth?
Please help me! I am stuck at this and couldn't find any solution.
If I understand correctly you use a phone number OTP system that is not Firebase Authentication to identify your users.
There is no way to tie that existing flow to Firebase's phone number authentication that I can think of.
The two options that come to mind:
Replace your existing authentication system with Firebase Authentication, and map their new (Firebase) UID to the previous ID system.
Keep using your own phone number verification, and mint a custom Firebase token for your users based on that, then use that to sign in to Firebase. Generating custom tokens can only be done in a trusted environment though.
Scenario:
I want to create an android app which uses username and password for authentication. I decided to use firebase custom auth for that purpose.
From my android app, I am calling a firebase cloud function to authenticate the user with the provided user credentials.
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.
Source: https://firebase.google.com/docs/auth/admin/create-custom-tokens
I would like to make use of firebase firestore to store username and password and use it to create custom JWT for Firebase custom authentication in firebase cloud functions.
Question:
Should I store user credentials in firebase firestore and if yes, what is the secure way to do so. If no, how should I proceed further?
How to create JWT in firebase cloud functions if the credentials passed to the function match with the credentials in firestore.
Note:
I don't have a credential system or own a server.
If you've never created authentication systems before, I highly recommend finding an existing implementation of such an authentication system for your app. Using something that is made by folks that do this for a living, is much less likely to lead to future data leaks that would negatively affect the users of your app.
That said: if you're going to build your own system, you'll want to have a look at this example usename/auth provider in the functions-samples repo. It shows how to receive the data, how to call a backend system, and how to mint a custom token.
For some information on how to store username/password, see Best way to store password in database. Storing this information in Firestore is a common approach, and no better or worse than storing it in any other properly secured cloud-based database.
I am using firebase auth on my android app. Now while signup if a user gives some non existing email, It still lets the user to signup. and saves the information on the database. How to prevent that?
The only way to check an email address is 'real' is to require the user receive an email on that address and respond to it - as this work flow is so common firebase has specific workflow to deal with it; That a look at the documentation here https://firebase.google.com/docs/auth/web/manage-users#send_a_user_a_verification_email
You can authenticate your users in several ways:
Custom Email/Password Login (One that you are trying i guess). Be clear of the fact that you will have to first register your users, store their registered data online on firebase database, and then verify the registered data (in the database) when they login with the previously input credentials.
If you want your users to login using authentic credentials beyond your database's information, the most easy and useful way can be using Facebook or Google Authentication. Note that you don't necessarily need to have those apps on your phone to login using these methods. You can follow the following links to guide you through the steps to do so.
https://firebase.google.com/docs/auth/android/facebook-login
https://firebase.google.com/docs/auth/android/google-signin
I have created an Admin portal using firebase which shows the details of the users registered in my android app. As soon as they register in my app, the user is created inside the firebase Auth. Now I am concerned about the security of the site as my firebase API key is visible to everyone. So if they use that key, then they can easily access my firebase database and fetch the data using a simple javascript. So I wanted to know any solution to avoid this security problem???