Hi Group,
Looking for some guidance around secure architecture involving web apps - developing an infrastructure that uses Firebase Auth for user session authentication, via a React web app with email/password identification.
We're using FastAPI (via Cloud Run) for various reasons, but need to identify users per API request - planning on using the ID token associated with the user Firebase Auth session, passed as a Bearer token, to re-auth users via an API-side service worker.
Rough architecture is as follows:
Main question is whether better practices exist - would prefer to maintain current infrastructure (not use Firebase hosting / functions). Considering an alternate structure where all Firebase calls (including login) are passed via the API, in order to issue a secure HTTP Only Cookie, but given the existence of the Firebase React library performing auth via React seems the most logical.
Any advice appreciated (and apologies if this is considered out of scope for the group),
Best regards,
Zachary