I must mention that I have no prior experience in backend development, and I know that questions on the subject have been asked before but I need a specific answer to this one.
I was wondering if I could use Firebase authentication to register & sign in my users and store their data in Mongodb?
If so, what am I supposed to learn besides "firebase_auth" and a Mangodb package to make it work?
Yes, you can do that. Actually firebase auth will provide a uid after authentication that you can use in MongoDB to identify the user. To make it work you'll need to have your own backend or APIs that will help you retrieve the data from MongoDB after the user is authenticated via firebase. Whereas a backend or the API is considered you can use any framework to make it eg. flask(python), express(nodejs), ruby on rails, etc.
If you already have an existing authentication system and want to integrate it with firebase then firebase provides custom authentication, you can have a look at the same.
You can use python fast-api that makes your development faster
Related
I am new to react-native development. I need to implement User Authentication for Login and Sign Up for my react native apps. I saw some tutorial using Firebase Authentication but I plan to use the mongoDB instead of Firebase. I am not sure how to use mongoDB. For firebase its pretty simple because they provide API URLS and all we need to do is just send the request with our data. But when I am trying to use mongoDB I am not sure how to implement and get the token key back from server side. Do I need to write server side code for mongoDb or they have simplified API URL like firebase? Please Help . Thank You
You are missing a lot of concepts.
Firebase is a BaaS (Backend as a Service), so it sell you a backend already done with authentication, database ecc.
Mongo DB is a database, it could be IaaS (Infrastructure as a Service) or Paas (Platform as a Service), but it's not a BaaS.
So you can't just replace firebase with mongo, but you need to build your whole backend and have a server to deploy it. You need to manage environments, authentication, security and many other feature that firebase already offers you.
In official Cloud Firestore documentation we can read that to connect with Cloud Firestore we need to download private key (.json) and use firebase-admin.
Is it safe to use that metod in client app? Or maybe there is other way to get safe access to Firestore from client app?
Thanks a lot.
As you said "private key (.json) , firebase-admin". These gives direct access to firestore database without authentication. If you don't want to make your client, admin of your firestore :) Don't do it.
Is it safe to use that metod in client app?
firebase-admin is not meant for use in web and mobile clients. It's for backend code running in an environment you fully control. Your users would not have access to this, which means it would be safe for you to use private keys.
You definitely do not want to ship any service account credentials with your app.
Or maybe there is other way to get safe access to Firestore from client app?
You're supposed to use the provided client SDKs to access Firestore from apps, and use security rules to declare which authenticated users are able to read and write which documents.
There are tons of examples creating a react crud application using api, but I could not find one that directly access the database. Even when I continued with the api, I didn't know how to restrict people from using the api to delete and put data stored. Please help me and Thanks in advance.
Check out firebase. Here's a tutorial on integrating with React:
https://www.youtube.com/watch?v=mwNATxfUsgI
Firebase is a backend as a service. It won't let you access your mongo db database, but it will allow you to provide you with a databse
I am wondering if it is possible to use just the Firebase authentication system together with your own API and database.
It has some nice features I want to take advantage of, however I do not wish to use their database or storage.
The application I am building is an Angular2 and express application with a MongoDB database.
Any answers will be greatly appreciated!
That definitely is possible: you can create your own identity provider that plugs into Firebase Authentication. This is often referred to as custom authentication. To implement this, you need a server (or other trusted process) where you authenticate your users and mint security tokens for then. You then pass this token to the user and have them pass it into Firebase.
But keep in mind: many Firebase features work fine without authentication. For example: if you use Cloud Messaging, Crash Reporting, Test Lab or many other features, you might not need to implement Firebase Authentication at all.
i know this is a question that has been asked many time. but im still concerned about best practice when trying to develop secure code in meteor.
i know you can prevent the client from being able to access the database with the command:
meteor remove insecure
my code currently adds, retrieves records by using Meteor.methods() so although the client is not able to insert data into a collection, it can use the Meteor.method() function. im concerned about holding the login details in the database because would this not mean that the client can use the Meteor.method() function to add/get/remove data from the database.
the client being able to call the Meteor.methods() function seems to still keep the same risk doesn't it? or have i coded me work wrong?
if it help, here is a run down of what my work is doing:
application loads
client calls to get username and password from database
client sends login details to external server (over https) to initiate socket.io connection.
step 2 is the risk because it seems to allow the client to get the login details. once it has this, it uses the socket.io.js library and the api to my webservice to login. so meteor remove insecure doesnt seem to have secured it because get methods are still available in the Meteor.methods()?
being able to use these functions are quite crucial to retrieving data from the database, is there a way around this? what would be best practice for communicating to the database without exposing private data to the client?
Meteor's insecure package is just a tool provided by MDG to quickly prototype apps. It is not meant to be runned in a production app and some people think is a best practise to remove it all together from the start.
After you remove this package, if you want to interact with the database on the client using mini-mongo you must create the appropiate allow and deny rules on the collection. Here is the link for the Meteor documentation on this topic. The other way to interact with the database, is as you said, using Meteor.methods().
Meteor methods calls don't trigger allow or deny rules, since they are runned on the server. You must hardwire all the security measures you need on the Meteor Call by yourself. So it can be a security problem if you don't take the time to secure the call.
Regarding authenticating your clients I would suggest you take a look at Meteor's Accounts package. For example you can add this two packages for basic username/password authentication:
meteor add accounts-base accounts-passwords
Then you can just use the methods detailed on the Meteor Documentation.
I hope this helps.
Login
If you are using accounts-password, you can check the source here to see details of how it works. But here's a rough overview of it. When you call Meteor.loginWithPassword, the password is hashed client-side. Then a method is called with the parameters. The password is then salted and checked against the database server-side. If it matches, the client gets logged in. The client then subscribes to their own user data (Meteor.user()). The server only publishes their data. So everyone else's data is save.
Methods
A method executes code server-side. So they are generally secure. But you can of course write insecure methods. Just know, that you can't trust the parameters passed by the user.