Firebase 3 Auth as a Client on NodeJS

[Michael Anderson]

I have a system design that doesn't seem to be supported by the upgrade to 3.x.

I have multiple little devices that collect data from wireless sensors. The collectors then push sensor data up to Firebase from where it is propagated to the owners of the sensors and collectors. Currently the collectors are Raspberry Pi's running NodeJS with Firebase 2.x.

Since the collectors are uncontrolled I didn't want to let them have full access to the Firebase database. In 2.x I gave each collector a login based on its MAC ID (AABBCC...@example.com) and limited its permissions as if it were a normal user. The collector's account IDs are associated with the user accounts so that only the owner of a collector can view its sensor data.

Firebase has been great for this concept, the users get controlled access to only their own sensor data in near real time. Even on a mobile device sensor data only lags by a second or so.

With the roll out of 3.x I've been looking into making my system up-gradable. The user interface end is simple, the collector end is not so simple.From what I can tell, using NodeJS I can only login as a server which then gives the collector full access to all the data. In my system this becomes a security risk.

Is there any way to get email/password authentication back into NodeJS in 3.x? I recognize that for now I can leave my collectors on 2.x but that's only a temporary solution.

[Jacob Wenger]

Hey Michael,

Not currently, but we've been having a bunch of internal and external discussions on this exact topic and you can expect us to make some changes in the near future. For now, please hang tight and use the 2.x.x SDKs. Those won't be going anywhere anytime soon and are still 100% supported. We've heard the feedback loud and clear and we are figuring out what the best way to support your use case is.

Would you mind if I reach out privately when we have more of an idea of what we want to do and possibly share some pre-release code with you to make sure we are supporting your use case?

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/be0a03d2-6d91-4701-b930-ac3d5675bd8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Chris Raynor]

I wouldn't recommend limiting the IAM permission of a service account shipped with every device to Viewer - the untrusted device would have complete read access to a project, including read access to the entire realtime database, and in most cases access to data in any GCS buckets, if there are any VMs running in cloud, etc. etc.

As Jacob mentioned we are working on some changes to make this a supported, 1st class use-case that unfortunately didn't make the cut in the rush for I/O. I don't have a time frame, but in the meantime the 2.x SDKs are fully supported and meet all the requirements. Apologies for the inconvenience

Chris

On Fri, Jun 3, 2016 at 9:48 AM Sudharsan R <sudhar...@gmail.com> wrote:

If you are doing a server auth, will switching to Oauth2 and authorizing the scope of collector as https://www.googleapis.com/auth/firebase.database.readonly and accordingly assigning the role of the collector as "Viewer" in IAM help? 

Pls see response of Chris Raynor of Firebase team for one of my questions.

https://groups.google.com/d/msg/firebase-talk/s0wtW8wCwl8/Lx-YkI2TAwAJ

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c753220f-6fd9-4836-a890-3156d4e7c051%40googlegroups.com.

[Michael Anderson]

Jacob,

I'd welcome the chance to influence the code as you get closer.

Thanks,

Mike

[Tommy]

I needed this exact use-case in my Node application, but had no idea it wasn't supported in 3.0 in Node. Now I have to revert everything on the client-side back to 2.x because of this lacking feature. Is there a way to downgrade my project back to 2.x ? 

At least this way I can go back to accessing it in my regular console and not have to open an incognito browser since the new console doesn't seem to support the standard Google account selector.

[Jacob Wenger]

@Tommy - You can continue to use the 2.x.x SDKs even though you've migrated your project to the new console. The only case where you cannot use the 2.x.x SDKs is if you created a new project in the new console. If that is the case, please create a new project in the old console. Let me know if you are stuck.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/963897db-14b6-4cf0-88a8-899837dbf1f6%40googlegroups.com.

[Ian Cervantez]

+1 for wanting the email/password auth available on the server SDK.

[Felix Enescu]

@Jakob: I have the exact use case as Tommy and I try to get to old console but I get redirected to the new one. 

Is this still possible? 

If currently I only have a project in new console, can I still access the old one to create a new project? I tried with another user and still gets redirected to new console.

Thanks a lot,

Felix.

[Jacob Wenger]

Hi Felix,

As of last week, you can only create new projects in the legacy console if you already had an existing legacy account. That is why you are being redirected. We are working on bringing the user management methods to 3.x.x Node.js SDK and hope to have more announcements on that in the near future.

Cheers,

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/93c78359-9671-452f-8df5-c1b1ff44157a%40googlegroups.com.

[Francisco Carriedo]

Big +1 on this too.

This is huge for us. Either usr/password or a mechanism to create limited scope certificates with limited scope that can be managed just as general accounts.

I think this is also important for server-to-server communication. You might have a service running on a server that only needs to read from an specific part of the RTDB tree (no write). If the server gets compromised, we don't have the risk of compromising the whole company DB and assets.

I know you're working hard on this and thanks a lot for that! I'm blown away by the potential of Firebase.

[Francisco Carriedo]

BTW, is there any way that the community can help on this specific issue?

[Jacob Wenger]

Hey Francisco,

Thanks for the feedback. I totally hear you and agree with you that this is an important feature. The libraries are not open source so we cannot take community contributions on them at this time. We are actively working on brining this functionality to the Node.js SDK though.

Cheers,

Jacob 

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d0b3324d-b19e-4eee-a936-640a6964b7da%40googlegroups.com.

[Francisco Carriedo]

If you want us to be beta testers of the unreleased libraries, reporting bugs, etc., we're happy to help with that.

Cheers!

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/_6Rhro3zBbk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAGcMwsBB2BPkwnNiovwOV6G%2BCFwSDuDokjmZjMqya9Jp_zeTuA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Francisco J. Carriedo

[Jacob Wenger]

@all - If any of you on this thread are interested in beta testing some client-side auth and user-management methods in Node.js, please shoot me an email at ja...@firebase.com. I would email you directly, but I can't get emails for most of you on this thread :/

[Jacob Wenger]

Hey Firebasers,

We just released version 3.3.0 of the Firebase JavaScript SDK (release notes). The biggest new feature is very relevant to this thread: our Node.js SDK now supports the client-side auth and user management methods found in the web version of the SDK! That means you can authenticate your Node.js process using end-user credentials as well as manage user accounts.

I want to point out that the Node.js SDK now has slightly different auth APIs and the one you get depends on how you initialize the SDK.

• If you include a serviceAccount when calling firebase.initializeApp(), you will get the "admin" auth API which authenticates you as an admin with full read / write privilege of your Realtime Database and the ability to generate custom tokens and verify ID tokens.
• If instead you pass an apiKey when calling firebase.initializeApp(), you will get the same "client" auth API as you get in the browser. The only difference is that "headful" methods like signInWithPopup(), signInWithPopup(), linkWithPopup() and linkWithRedirect() are not available in the Node.js environment. In this mode, you won't have access to methods for creating custom tokens and verifying ID tokens.
• If you provide no serviceAccount and no apiKey, you won't have access to any auth methods. Instead, you will just have unauthenticated access to the Realtime Database.

We realize there is still more to do here. We are working on an admin auth API for Node.js which will allow you to more easily manage your users (create users, change passwords, deleted users, etc.) without worry about rate limiting or having a user's credentials. We also plan to simplify the division between "client" methods and "admin" methods available in the same SDK. Stay tuned for these in future releases.

Thanks to the beta testers who have already given this SDK a whirl. We think we've identified all the bugs, but if you find an issue, please report it. If you have a usage question, feel free to start a new thread in this Google Group and we will help you out.

Cheers,

Jacob

[Jack Davis]

Great news...Thanks!

[Jacob Wenger]

One other thing to note as I'm sure it's bound to come up at some point: you can create multiple firebase.App instances with different auth APIs and privileges by passing a second argument to firebase.initializeApp() and using the return value instead of the default firebase.App instance:

var clientApp = firebase.initializeApp({

  apiKey: <API_KEY>,

  authDomain: "<AUTH_DOMAIN_NAME>.firebaseapp.com",

  databaseUrl: "https://<DATABASE_NAME>.firebaseio.com"

}, 'client');

var adminApp = firebase.iniitalizeApp({

  serviceAccount: "path/to/serviceAccountKey.json",

  databaseUrl: "https://<DATABASE_NAME>.firebaseio.com"

}, 'admin');

var unauthenticatedApp = firebase.initializeApp({

  databaseUrl: "https://<DATABASE_NAME>.firebaseio.com"

}, 'unauthenticated');

// Instead of this...

//var db = firebase.database(); // throws an error since default app is not defined

//var auth = firebase.auth();   // throws an error since default app is not defined

// ... do this

var clientDb = clientApp.database(); // allows for end-user access to db (unauthenticated by default)

var clientAuth = clientApp.auth();   // has methods for end-user authentication and account management

var adminDb = adminApp.database(); // has full read / write access to db

var adminAuth = adminApp.auth();   // has methods for creating custom tokens and verifying ID tokens

var unauthenticatedDb = unauthenticatedApp.database(); // has only unauthenticated access to db

//var unauthenticatedAuth = unauthenticatedApp.auth(); // throws an error

Cheers,

Jacob

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/04045046-ca5e-4eb8-afbf-1c6eef5bc8a3%40googlegroups.com.

[Francisco Carriedo]

Great news indeed!

Thanks for the additional info.

[Kirtan Thakkar]

Don't you think you should document this somewhere? I was struggling from the past 3 hours to find this! 

Thanks,

Kirtan

[Jacob Wenger]

Thanks for the feedback. The ability to create multiple apps is indeed documented in the getting started guide here, although we can probably do a better job with the content. I'll see what I can do.

Cheers,

Jacob

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/0e583e9c-d5f9-4c02-8976-bfe3148608f6%40googlegroups.com.

[Kirtan Thakkar]

The link you provided shows how to initialize 2 apps. Not the same to use with admin rights and client apps of the same project! That part should contain the snippet posted here.

[Jacob Wenger]

Thanks for the feedback Kirtan! That makes sense. I'm actually working on these docs now so hopefully they should be clearer in the near future.

Cheers,

Jacob

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/ac99b7a9-a17c-4401-81f4-8f34bbb8fefb%40googlegroups.com.

[Kirtan Thakkar]

Thanks for the update Jacob! I would love to see the up-to-date docs for awesome firebase :D

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/ac99b7a9-a17c-4401-81f4-8f34bbb8fefb%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/_6Rhro3zBbk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAGcMwsCRN4oYRGtsZG_BO0pMMP63iM7mzE9tiC9sDPQwfhqiLA%40mail.gmail.com.

[Yanbing Peng]

Thanks for efforts. I was having an issue when trying to authenticate as user on an embeded node server. 

I was following the official firebase doc here. 

var firebase = require("firebase/app");
require("firebase/auth");
require("firebase/database");

// Leave out Storage
//require("firebase/storage");

var config = {
  // ...
};
firebase.initializeApp(config);

Then "firebase.auth().signInWithEmailAndPassword()" keep reporting me the error: "Error: The XMLHttpRequest compatibility library was not found."

After fiddling around and trying to find a XMLHttpRequest compatible module for my node server, I realised at the end, it is probably just a typo on the Firebase doc. 

When importing the module, the code should be:

var firebase = require("firebase");

The issue was resolved after I made the change. 

Just wanna add this post here, just in case if anyone run into the same issue. 

[Kato Richardson]

Hi Yanbing,

Those instructions are for Browserify and Webpack, not for node. Sorry for the confusion.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d0822b39-10b9-4509-9f58-ac017c5551cc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398