Understanding Firebase Authentication in Node.js Apps

[Giordon Stark]

Hi all,

I've used Firebase in 2.x.x and it looks like the changes to 3.x.x bring up a lot more questions and confusion about how the API is supposed to work. Right now, I have an app that restricts users based on their Facebook ID before touching firebase. Then on top of all of this, I have pages protected entirely unless the user is logged in and is part of a select few FB user IDs. So for example, one page is an 'edit' page:

        res.render('edit', {

                              playName: req.params.playName,

                              title: req.params.playName.replace(/_/g, ' '),

                              currIndex: req.params.currIndex,

                              yaml: req.yaml,

                              firebaseToken: tokenGenerator.createToken({uid:"admin"})

                             });

    };

which passes in a firebase token that gets generated with a uid. (Right now, I was still confused about making user systems so I hard-coded uid for all facebook users with access since this was a small app).

The jade view for this would have

            var firepadRef = new Firebase('https://captionator.firebaseio.com/');

            firepadRef = firepadRef.child('#{playName}');

            firepadRef.authWithCustomToken("#{firebaseToken}", function(err, authData){

                if(err){

                    console.log("Login Failed!", err);

                } else {

                    console.log("Login Succeeded!", authData);

                }

            });

which took in that custom token which allows the user read/write access to a specific item.

I don't understand how to do the same thing in v3 at the moment or what actual best practices are for handling users and setting up roles. In particular, being able to create objects that particular groups have access to, and having users be assigned to groups. So far, I can't find any good resources on that, especially when I need to integrate a third-party auth. I use passportjs to set up facebook authentication, and that gives me a specific user id / user token -- and not sure how to set that up with firebase correctly for database stuff.

A lot of posts ask about nodeJS access with auth access to the back end and it seems to be that you need to create a service account to do this (I don't really want to do that). Does this mean I should stick to 2.x.x for now?

[Jacob Wenger]

Hey Giordon,

Let me see if I can clear up some of the confusion you are facing. In short, the process for your use case is actually very similar in both the 2.x.x and 3.x.x SDKs. With the 2.x.x SDK, you authenticate a token generator with your Secret and use that to mint custom tokens which you send back to the client and sign the client in via authWithCustomToken(). With the 2.x.x SDK, you authenticate the main Firebase SDK with a service account and use that to mint custom tokens which you send back to the client and sign the client in via signInWithCustomToken(). So, as you can see, the SDKs parallel each other very well for your use case. The token format has changed and the thing used to sign the token has change, but the process is generally the same.

You can read about the server auth process a bit more here. You should think of a service account as a Secret with many more features. Don't be afraid to create one and use it on your server. Secrets were much more dangerous than service accounts and service accounts have a lot of advantages over them.

Let me know if you have any follow up questions.

 

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9ee071e1-b422-4263-9d4d-bdd25050e51b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kato Richardson]

Jacob had one little typo in his message which may cause some confusion. Since I don't ever get to correct Jacob (this might be the first) I'm not going to miss this opportunity!

With the 3.x.x SDK, you authenticate the main Firebase SDK with a service account and use that to mint custom tokens...

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAGcMwsCvT-kMhT%2Bv9v%3DF%3DrTc2Up_%3DBb%2B73PsB1SOME45hMvjDQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398