I have a pretty common use case that was unfortunately vaguely described in this question:
Firebase authentication with Parse user
I am using Parse as my backend and I want to add real-time chat using Firebase.
20% of users will use chat, so it would be inefficient to replicate all users on Firebase (on Parse signup).
I would like to sign the user up in the background when he starts a chat with another user.
I believe this raises some security concerns, among others, which leads me to my question:
What is the most efficient and secure way to tackle this problem ?
Related
Requesting a sanity check on a question of how to structure Google Oauth in my app.
The app I'm trying to build - call it AppX - will let users create an account with the app (ideally with username/password or with Google login), and then the user will be able to connect their AppX account with several of their Google accounts for the sake of pulling up their various calendars. This is handy when, for example, a user has separate personal and work Google accounts, but they want to be able to see both calendars in AppX.
To accomplish this, I was originally going with the oauth2 token model which can happen purely on the client side. I was then going to send the resulting token back to the server to save onto the user object, and then figure out a way to allow the user to do several of these oauths.
However, this SO question is making me think that with that client-side approach, the UX for refreshing the token is jarring for the user. So I'm thinking I actually need to do this on the server-side using these instructions, which will allow me to store the tokens for multiple oauths and create a more transparent refresh token experience.
Is this server-side approach considered best practice?
My goal is to prevent users of multiple login in. I do not want this to be client-side, with like the onDisconnect and onConnect values, but with a server check. I came across this answer:
How to prevent simultaneous logins of the same user with Firebase?
Which tells me to create a custom auth system. When I am following the docs (https://firebase.google.com/docs/auth/ios/custom-auth) I need to "Copy this file to your authentication server" (3c). How would I do this? I am just using Firebase and my little iOS app. I would like to manage everything on these 2 things, no server in between, is this possible? Or can this file only be uploaded through another server?
If above things are not possible, how can I server check if the user really signed in? I am using Cloud Functions, but I did not came across a trigger for a user signing in. Please no answers with onDisconnect/onConnect, I want it server side. A user may NOT login if he is already logged in. Thanks :)
Implementing custom authentication requires that you have a secure place to mint the custom token that identifies each of your users. You cannot do this securely with only client-side code, because that would mean everyone could claim to be whoever they want.
While you can use Cloud Functions for Firebase to implement a secure back-end without spinning up your own server, I highly recommend against doing that just for the purpose of preventing a user to sign in from multiple locations.
It's important when talking about security to split these two steps:
Authentication - a user proving to be who they are
Authorization - the authenticated user being able to use your app
There very seldom is a reason to keep a user from proving who they are. Your concern seems to fall onto keeping them from using the app from multiple locations. To do that, it's probably easier to track for each user where they are using the app from already using Firebase Database's presence system.
Also see:
How to handle multiple connections of the same user on Firebase?
Android - How to detect same user from multiple devices?
How to prevent same user logging in from different devices ? My app is paid , so I dont want credentials to be shared
I have an iOS app using Swift that uses Core Data to store user data on thousands of objects. I also have FB Auth working. My question is, how do I make it so that the user data would persist even when they switch phones and log in using FB on a separate phone? It doesn't seem that FB will offer me such data persistence. I'm looking at making a server on Heroku with Vapor. Then I could use the user's e-mail as a way to identify the user... but it doesn't seem secure?
Any suggestions on easiest solution?
Checkout Firebase... Instead of using e-mail to authenticate users, you should deal with tokens. Firebase will provide you a great data flow in easiest manner.
I'm building an iOS (Swift) app that needs realtime chat as part of the functionality. While Parse works well for push, data storage, etc..., it doesn't support realtime. I would like to use Firebase for the realtime support, but need help authenticating to Firebase using a Parse user. I really don't know where to start with this. Any help would be greatly appreciated.
The question is pretty vague so a definitive answer is not possible: here's a thought.
Firebase and Parse are two different companies and therefore require separate authentications.
If your users have a username/password type authentication in Parse, you could use the same data in Firebase and authenticate through code. i.e. User creates a new account in Parse, and an account is created in Firebase via code. When the user authenticates to Parse, it also authenticates to Firebase via code.
There are a LOT of design elements to consider in going this route: how do you create a firebase user (in code) without your app authenticating itself as a 'super' user? Hard code credentials? That may be a security issue.
Are you going to keep two sets of user data? One in Parse and one in Firebase? What if a user needs to reset their password or account. As you can see, it can get out of control rather quickly.
You may want to consider sticking with one platform to simplify the entire process. By the sound of at least one of the requirements, Firebase can do much of what Parse can do but also give the real-time updates you need.
I've been using Firebase as a way to synchronize data between a Rails application and a mobile web-kit based application. I've recently been attempting to use the email/password authentication method in lieu of custom auth tokens.
Everything works as expected, but my concern is with user creation and authentication.
Currently, I'm able to create a user, both on Rails (using a self-modified version of the firebase-ruby gem) and through the mobile app, using the firebase node module.
So from the stance of a malicious user, is it correct to assume that I can create a Simple Login user with the JS library (for anyone's firebase instance), and then authenticate with that user, and attempt to read any data that they have stored?
Of course one shouldn't leave their entire Firebase data structure unprotected. So this only works in a situation where one has only set up the default security rules.
Either way, is there any way to prevent anyone from creating users, except for myself (or some other authorized person) without resorting back to custom authentication? I understand the difference between authentication (the server knows who you are) and authorization (the server is letting you in).
Any feedback is appreciated.
In my conversation with Frank, it appears that there is no way to prevent malicious users from creating any number of accounts on a Firebase instance through email/password Simple Login. This doesn't allow them authorization to any data per se, but could be annoying for the SysAdmin/DevOp who was maintaining the Firebase instance.