In official Cloud Firestore documentation we can read that to connect with Cloud Firestore we need to download private key (.json) and use firebase-admin.
Is it safe to use that metod in client app? Or maybe there is other way to get safe access to Firestore from client app?
Thanks a lot.
As you said "private key (.json) , firebase-admin". These gives direct access to firestore database without authentication. If you don't want to make your client, admin of your firestore :) Don't do it.
Is it safe to use that metod in client app?
firebase-admin is not meant for use in web and mobile clients. It's for backend code running in an environment you fully control. Your users would not have access to this, which means it would be safe for you to use private keys.
You definitely do not want to ship any service account credentials with your app.
Or maybe there is other way to get safe access to Firestore from client app?
You're supposed to use the provided client SDKs to access Firestore from apps, and use security rules to declare which authenticated users are able to read and write which documents.
Related
I'm making a mobile app using flutter and firebase.
To use Cloud Messaging of firebase, I need to send server key of firebase by putting in headers and sending with http post method.
headers: {
'Authorization': server key
}
However, it is not a recommended way to use server key. Firebase recommends to download json file of service account and use that file to get JWT token from firebase. Otherwise, I have to use Admin SDK and it's difficult for us because we don't have a backend server.
Therefore, my question is that are there any good ways to store json files in client side or local environment or firebase or Azure and can read the file only when we need it.
Plus, if you know the better way to send FCM from client side, please let me know. Thank you so much for reading it.
I have to use Admin SDK and it's difficult for us because we don't
have a backend server.
You can very well use the Admin SDK with Cloud Functions for Firebase, the "serverless framework that lets you run backend code". It is very common to use Cloud Functions to send message requests to the FCM backend, which then routes messages to client apps running on users' devices.
There is actually an official example that demonstrates how to send an FCM notification from a Realtime Database triggered Function. You can adapt it to be triggered by any other available trigger mechanism.
I am new to react-native development. I need to implement User Authentication for Login and Sign Up for my react native apps. I saw some tutorial using Firebase Authentication but I plan to use the mongoDB instead of Firebase. I am not sure how to use mongoDB. For firebase its pretty simple because they provide API URLS and all we need to do is just send the request with our data. But when I am trying to use mongoDB I am not sure how to implement and get the token key back from server side. Do I need to write server side code for mongoDb or they have simplified API URL like firebase? Please Help . Thank You
You are missing a lot of concepts.
Firebase is a BaaS (Backend as a Service), so it sell you a backend already done with authentication, database ecc.
Mongo DB is a database, it could be IaaS (Infrastructure as a Service) or Paas (Platform as a Service), but it's not a BaaS.
So you can't just replace firebase with mongo, but you need to build your whole backend and have a server to deploy it. You need to manage environments, authentication, security and many other feature that firebase already offers you.
TL;DL
Is it OK to store api key for Google map api on Firebase Firestore with security rules ?
Question
I'm working on map features using google_maps_flutter plugin. This package describes to store the key on source code on its document, but this seems to be insecure.
Many developers describing that the most secure way to manage api key is to store on server side and I agree with this idea.
I found the issue but it seems that the plugin does not have a way to provide the api key dynamically.
In the iOS sdk, they have GMSServices.provideAPIKey(Could not find same kind of methods on Android) and this allows to provide api key dynamically.
If the plugin support these features in future, is it OK to store the key on firestore with security rules?
Thank you
If your third-Party API Key are sensitive, they should stay on the server and never reach the User's device.
So, you could store them on Firestore with strong security rules (i.e. only readable with admin privileges) and then place the third-party API calls within Firebase Cloud Functions.
I must mention that I have no prior experience in backend development, and I know that questions on the subject have been asked before but I need a specific answer to this one.
I was wondering if I could use Firebase authentication to register & sign in my users and store their data in Mongodb?
If so, what am I supposed to learn besides "firebase_auth" and a Mangodb package to make it work?
Yes, you can do that. Actually firebase auth will provide a uid after authentication that you can use in MongoDB to identify the user. To make it work you'll need to have your own backend or APIs that will help you retrieve the data from MongoDB after the user is authenticated via firebase. Whereas a backend or the API is considered you can use any framework to make it eg. flask(python), express(nodejs), ruby on rails, etc.
If you already have an existing authentication system and want to integrate it with firebase then firebase provides custom authentication, you can have a look at the same.
You can use python fast-api that makes your development faster
I am wondering if it is possible to use just the Firebase authentication system together with your own API and database.
It has some nice features I want to take advantage of, however I do not wish to use their database or storage.
The application I am building is an Angular2 and express application with a MongoDB database.
Any answers will be greatly appreciated!
That definitely is possible: you can create your own identity provider that plugs into Firebase Authentication. This is often referred to as custom authentication. To implement this, you need a server (or other trusted process) where you authenticate your users and mint security tokens for then. You then pass this token to the user and have them pass it into Firebase.
But keep in mind: many Firebase features work fine without authentication. For example: if you use Cloud Messaging, Crash Reporting, Test Lab or many other features, you might not need to implement Firebase Authentication at all.