Simple login with REST API

[Simone]

Hello, say I write data into Firebase from .NET, which does not have an available client library, and read from a web page, and I want the each user to see only the data he wrote and not other user's data. 

I thought that using the auth mechanism to correlate writes and reads would make sense and I could use the simple login with mail and password to do so, but it seems that the REST API does not support any other auth mechanisms except custom login (at least, it's not documented). I imagine the available client libraries are implementing simple auth on top of the REST API so one option would be to look at how they do it, but I was wondering if there are any other common alternatives to securely allow a user to access only the data he owns besides using the same auth mechanism on both read and write sides.

Thanks, Simone

[Andrew Lee]

Hi Simone -

Typically when accessing Firebase from the server-side, you are running trusted code. In this case, you should authenticate your server to Firebase as being trusted and having full read/write access, rather than changing your auth credentials for each request. 

You should simply authenticate your calls using either your Firebase's secret or an auth token with the "admin" flag set.

On a side note, I should note that Simple Login is not a separate auth mechanism -- it is simply a layer on top of "custom login" that generates auth tokens for you. So Custom Login is a superset of its functionality.

-Andrew

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Andrew Lee

Founder, Firebase

http://twitter.com/startupandrew

[Simone]

Hi Andrew, my point is that I'm not writing from a server, it's a client application running under the .NET framework. Users would be using this application to write data into Firebase, and a Web UI to read such data, and they should be restricted to see only the data that they wrote, hence my question about how to correlate the two given that there is no .NET library available which supports simple login (i.e. user+pass). I had imagined that simple login is just a layer on top of the auth token login, so I assume that the simplest way would be to just reverse engineer what available libraries do to convert simple login to custom auth tokens and do the same in my .NET application.

Simone

[Greg Soltis]

Hi Simone,

The Simple Login library is in fact just a wrapper around the auth token login, and the user objects that are provided once you've successfully logged in contain the custom login token: firebaseAuthToken. See User Object Data here: https://www.firebase.com/docs/security/simple-login-email-password.html

That token can be used with the REST API to perform the same actions that the user is authorized to perform. See the 'auth' query parameter: https://www.firebase.com/docs/rest-api.html

Also, I'm curious about your use case of mixed .NET and web UI. If you don't mind me asking, are you building a desktop application, or perhaps using a browser plugin that provides the .NET runtime?

-Greg

[Simone Busoli]

Hi Greg,

I read through the REST API docs, the reason why I'd like to use .NET to write data is that it gives me access to information exposed by Windows API more easily than other technologies, but I'd still like to have a Web frontend to display it. Again, since I want the user to only see the data it wrote I need the same auth mechanism on both sides, and email/password sounds like a sensible choice. I'm planning to simply reproduce in .NET code what the simple login javascript library does for web.

Simone

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/1Uj3VyWlHPE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

[Andrew Lee]

Hi Simone -

My apologies for not reading your question more clearly! Your use case makes sense now.

You're free to try to rebuild a simple login client for C# if you like. You might find the debug version of our lib helpful (it's unobfuscated): 
http://cdn.firebase.com/v0/firebase-simple-login-debug.js

In general though, you should be aware that Simple Login is intended only for common use cases. You may want to seriously consider building your own custom login solution.

-Andrew

[Simone Busoli]

Hi Andrew, you're welcome, I was heading in that direction anyways, in fact I'm now looking at the debug version of the js simple login library and see if it makes sense to do the same in .NET.

Thanks for your help,

Simone

[Simone]

Hi, another question after I've successfully managed to do simple auth from a .NET client (I realized it's no more than a GET request with some query string parameters). Now I can successfully authenticate a user both when writing from the .NET app and when reading from the Web UI using the js client. How do I make sure that each user has access to only his own data in a secure way that cannot easily be spoofed? The example on the website with comments which can only be edited by the author is not a good example as it requires that the user id is written to the data so it can be compared with the auth-supplied value when modifying the data. On the other hand I cannot think of any other way to accomplish the same in a more secure way, any ideas?

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/1Uj3VyWlHPE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Andrew Lee

Founder, Firebase

http://twitter.com/startupandrew

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/1Uj3VyWlHPE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to firebase-talk+unsubscribe@googlegroups.com.

[Andrew Lee]

Simone -

The simplest is just to give each user their own path for data.

ie: /users/joe

And then setting the username / userid in the auth token:

{ id: "joe" }

Then all you need is a rule at /users/$userid that says "auth.id == $userid".

-Andrew

[PipisCrew]

sample of firebase custom login on csharp https://gist.github.com/pipiscrew/9483082

[Mitesh Shah]

Could you please share details about this with me? I'm working on a C# based plugin to access per user data as well..

--

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/1Uj3VyWlHPE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Andrew Lee

Founder, Firebase

http://twitter.com/startupandrew

--

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/1Uj3VyWlHPE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.