Design approach when using Firebase as backend for Mobile and Web Apps

[Ven]

Hi,

We are developing Web and Mobile apps with Firebase as backend and Braintree for payments.

Below are the approaches we thought of. Could anyone advise what is the right way or what corrections we should make in case we are wrong.

for Ionic Mobile App:

Approach 1:

 1. Login using Firebase authentication.

 2. For processing Braintree payments from Ionic app, post to NodeJS server using REST.

 3. Using ExpressJS, verify whether the user is authenticated in Firebase and process the payments.

Approach 2:

 1. Login using Firebase authentication.

 2. For processing Braintree payments from Ionic app, post to Firebase Queue.

 3. Use ExpressJS to monitor Firebase Queue and process the payments.

for Web Application(Angular):

Approach 1:

 1. Login using Firebase authentication.

 2. For processing Braintree payments from Ionic app, post to NodeJS server using REST.

 3. Using ExpressJS, verify whether the user is authenticated in Firebase and process the payments.

[Tom Larkworthy]

So trying to check the user is authenticated outside Firebase seperately is possible, but easy to make a mistake. You would need to transmit the JWT and have the Firebase secret passes to the expressJS service. I think including a queue inside your production database is a better path. With the queue and security rules, you can trust that only authenticated users can write to the queue, and have an implicit level of trust in the data within it. So that would be my preferred path.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/138b2c30-4046-4057-b6b1-c04d40686168%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ven]

Tom,

That throws me 2 questions.

1. If we transmit the JWT, can we use any generic JWT library like https://github.com/hokaccha/node-jwt-simple and decode it and check the Expiration times. Is it fine?

2. Is it advisable to use the queue for storing Credit Card data? Would we not be compromising on SAQ-A?

Thanks

Ven

[Tom Larkworthy]

1. yes, have a look at the first answer here http://stackoverflow.com/questions/18863819/verify-clients-firebase-token-at-node-js-server

2. That's beyond my knowledge. There is a bit of a thread here on the topic https://groups.google.com/forum/#!topic/firebase-talk/sg-WCHVXs5k If that's a blocker then by elimination you know which route to choose!

Tom

 

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/ec032b61-212f-4f3c-acd8-3c0cb5d24b11%40googlegroups.com.

[Tom Larkworthy]

So I did not really appreciate the CC information was the relevant question initially. Payment providers like stripe can do a dance without Firebase handling the actual number. I am not sure about Braintree, is this approach relevant? http://stackoverflow.com/questions/22879095/firebase-payment-gateways 

[Ven]

Thank you Tom. That clears the air.

We will go with NodeJS.

Ven