Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Secure Firebase Auth session token handling in React / FastAPI

131 views
Skip to first unread message

Zachary Smith

unread,
Jan 21, 2025, 9:11:14 AMJan 21
to Firebase Google Group
Hi Group,

Looking for some guidance around secure architecture involving web apps - developing an infrastructure that uses Firebase Auth for user session authentication, via a React web app with email/password identification.

We're using FastAPI (via Cloud Run) for various reasons, but need to identify users per API request - planning on using the ID token associated with the user Firebase Auth session, passed as a Bearer token, to re-auth users via an API-side service worker.

Rough architecture is as follows:
Blank diagram.png

Main question is whether better practices exist - would prefer to maintain current infrastructure (not use Firebase hosting / functions). Considering an alternate structure where all Firebase calls (including login) are passed via the API, in order to issue a secure HTTP Only Cookie, but given the existence of the Firebase React library performing auth via React seems the most logical. 

Any advice appreciated (and apologies if this is considered out of scope for the group),
Best regards,
Zachary

Daniel

unread,
Jan 22, 2025, 9:06:25 AMJan 22
to fireba...@googlegroups.com
One option you have would be to setup an additional step in your auth to exchange a firebase auth token (I.e. One that creates client side, as you do now) and then validating that token server side, extracting the uid and using a custom token in a http cookie  (https://firebase.google.com/docs/auth/admin/create-custom-tokens

The benefit is you can keep using any client side auth ui/library but thereafter you wouldn't need the token to be stored server side. Refresh is then your call really, you could generate your own refresh token and endpoint to recreate the custom jwt, or rerun the above step using clientside/firebase reauth 

Does that make sense?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/firebase-talk/d763d370-b4c1-4d1f-83a7-6cb681073f29n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages