I am wondering if it is possible to use just the Firebase authentication system together with your own API and database.
It has some nice features I want to take advantage of, however I do not wish to use their database or storage.
The application I am building is an Angular2 and express application with a MongoDB database.
Any answers will be greatly appreciated!
That definitely is possible: you can create your own identity provider that plugs into Firebase Authentication. This is often referred to as custom authentication. To implement this, you need a server (or other trusted process) where you authenticate your users and mint security tokens for then. You then pass this token to the user and have them pass it into Firebase.
But keep in mind: many Firebase features work fine without authentication. For example: if you use Cloud Messaging, Crash Reporting, Test Lab or many other features, you might not need to implement Firebase Authentication at all.
Related
I am new to react-native development. I need to implement User Authentication for Login and Sign Up for my react native apps. I saw some tutorial using Firebase Authentication but I plan to use the mongoDB instead of Firebase. I am not sure how to use mongoDB. For firebase its pretty simple because they provide API URLS and all we need to do is just send the request with our data. But when I am trying to use mongoDB I am not sure how to implement and get the token key back from server side. Do I need to write server side code for mongoDb or they have simplified API URL like firebase? Please Help . Thank You
You are missing a lot of concepts.
Firebase is a BaaS (Backend as a Service), so it sell you a backend already done with authentication, database ecc.
Mongo DB is a database, it could be IaaS (Infrastructure as a Service) or Paas (Platform as a Service), but it's not a BaaS.
So you can't just replace firebase with mongo, but you need to build your whole backend and have a server to deploy it. You need to manage environments, authentication, security and many other feature that firebase already offers you.
In official Cloud Firestore documentation we can read that to connect with Cloud Firestore we need to download private key (.json) and use firebase-admin.
Is it safe to use that metod in client app? Or maybe there is other way to get safe access to Firestore from client app?
Thanks a lot.
As you said "private key (.json) , firebase-admin". These gives direct access to firestore database without authentication. If you don't want to make your client, admin of your firestore :) Don't do it.
Is it safe to use that metod in client app?
firebase-admin is not meant for use in web and mobile clients. It's for backend code running in an environment you fully control. Your users would not have access to this, which means it would be safe for you to use private keys.
You definitely do not want to ship any service account credentials with your app.
Or maybe there is other way to get safe access to Firestore from client app?
You're supposed to use the provided client SDKs to access Firestore from apps, and use security rules to declare which authenticated users are able to read and write which documents.
I must mention that I have no prior experience in backend development, and I know that questions on the subject have been asked before but I need a specific answer to this one.
I was wondering if I could use Firebase authentication to register & sign in my users and store their data in Mongodb?
If so, what am I supposed to learn besides "firebase_auth" and a Mangodb package to make it work?
Yes, you can do that. Actually firebase auth will provide a uid after authentication that you can use in MongoDB to identify the user. To make it work you'll need to have your own backend or APIs that will help you retrieve the data from MongoDB after the user is authenticated via firebase. Whereas a backend or the API is considered you can use any framework to make it eg. flask(python), express(nodejs), ruby on rails, etc.
If you already have an existing authentication system and want to integrate it with firebase then firebase provides custom authentication, you can have a look at the same.
You can use python fast-api that makes your development faster
I'm just starting a new project. The result will be an API server and a progressive web app. The API server is implemented with TypeScript and the NestJS framework, the client with Angular 6.
I've been flirting with keycloak for some time. Still, I'm not quite sure it's right for me yet. But I don't want to worry about things like token renewal anymore and find it sexy that Keycloak tells me how to create user roles.
What bothers me, is the following - integration. For my use case it is necessary that the login and all features like password reset and so on are part of my application. That means I want to create forms myself in order to be able to do this perfectly in my own design and not have a second translation process, etc. Keycloak themes are not an option. So is it possible to hide keycloak in such a way, or is it so complex that I shouldn't use Keyloak in the first place? Afaik there is already an issue with password resets - I can't request it from the user side but have to make an REST call to the admin endpoint - which is okay but not ideal since it requires me to do more server side logic ( and that is not why I want to use Keycloak).
In addition, Keycloak is too much about the GUI - which makes it difficult for me, especially during development. Because I also want to provide my team with a local instance of keycloak during development. But what is the concept to import the initial data into realms, apps and also users into Keycloak? I found some JSON imports - but so far only for realms and apps. Is there also a function to import a whole dumb?
So that my team builds on a pre-built setup and has a user for each role. A reproducible setup with Vagrant or Docker which contains the import of initial data - that would be the goal.
So in short my questions:
Is it still worth the effort using Keycloak if I want to use everything via the API or should I simply use Passport and JWT?
Can I have a reproducible setup during my development that includes realms, apps, users, user roles, etc?
So, the question asked few months ago, but I also faces with that question, and I want to answer on it.
I think that you don't need Keycloak, it is fairly enough for you to use OAuth2 and JWT.
Let's justify my answer:
You have just one client - Angular application. Keycloak useful, when you have many clients (web-js, mobile platforms) and you want to create and manage them dynamically. But, I think that, in your case, you create your client once without modification in the future.
Also, Keycloak very useful, when you have a lot of integration with third part systems (Google, Fb, Twitter and etc) because Keycloak has them out-of-box. Or you need to integrate with some SAML or LDAP provider.
You may use Keycloak, if you need some Identity and User management platform, and when you have complicated user access flow.
In the end, you could consider Keycloak, if you need SSO (Single Sign On) feature. Once logged-in to Keycloak, users don't have to login again to access a different application. But, by your description, you have just one application.
Keycloak offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.
It's an out of box solution for rapid security layer development of application.You could have single common security layer for multiple application .
You can implement you security mechanism without using keycloak.
i know this is a question that has been asked many time. but im still concerned about best practice when trying to develop secure code in meteor.
i know you can prevent the client from being able to access the database with the command:
meteor remove insecure
my code currently adds, retrieves records by using Meteor.methods() so although the client is not able to insert data into a collection, it can use the Meteor.method() function. im concerned about holding the login details in the database because would this not mean that the client can use the Meteor.method() function to add/get/remove data from the database.
the client being able to call the Meteor.methods() function seems to still keep the same risk doesn't it? or have i coded me work wrong?
if it help, here is a run down of what my work is doing:
application loads
client calls to get username and password from database
client sends login details to external server (over https) to initiate socket.io connection.
step 2 is the risk because it seems to allow the client to get the login details. once it has this, it uses the socket.io.js library and the api to my webservice to login. so meteor remove insecure doesnt seem to have secured it because get methods are still available in the Meteor.methods()?
being able to use these functions are quite crucial to retrieving data from the database, is there a way around this? what would be best practice for communicating to the database without exposing private data to the client?
Meteor's insecure package is just a tool provided by MDG to quickly prototype apps. It is not meant to be runned in a production app and some people think is a best practise to remove it all together from the start.
After you remove this package, if you want to interact with the database on the client using mini-mongo you must create the appropiate allow and deny rules on the collection. Here is the link for the Meteor documentation on this topic. The other way to interact with the database, is as you said, using Meteor.methods().
Meteor methods calls don't trigger allow or deny rules, since they are runned on the server. You must hardwire all the security measures you need on the Meteor Call by yourself. So it can be a security problem if you don't take the time to secure the call.
Regarding authenticating your clients I would suggest you take a look at Meteor's Accounts package. For example you can add this two packages for basic username/password authentication:
meteor add accounts-base accounts-passwords
Then you can just use the methods detailed on the Meteor Documentation.
I hope this helps.
Login
If you are using accounts-password, you can check the source here to see details of how it works. But here's a rough overview of it. When you call Meteor.loginWithPassword, the password is hashed client-side. Then a method is called with the parameters. The password is then salted and checked against the database server-side. If it matches, the client gets logged in. The client then subscribes to their own user data (Meteor.user()). The server only publishes their data. So everyone else's data is save.
Methods
A method executes code server-side. So they are generally secure. But you can of course write insecure methods. Just know, that you can't trust the parameters passed by the user.