Menu
My setup:
My intention is that a user of the mobile client applications will be able to log in to the mobile app using Firebase authentication, then connect to any of the backend APIs, which in turn will do some processing and then read or write data to/from the Firebase database.
To secure the APIs on the server, I think I'll have to use the built-in verifyIdToken() method of the Firebase Server SDK to (see Verifying ID Tokens on Firebase) to decode a user's ID token passed from the client application. As verifyIdToken() runs asynchronously, how would I integrate it with an API method in GAE? I have something similar to the following so far:
@ApiMethod(name = "processAndSaveToDB", httpMethod = "post")
public Response processAndSaveToDB(@Named("token") String token) {
Response response = new Response();
// Check if the user is authenticated first
FirebaseAuth.getInstance().verifyIdToken(idToken)
.addOnSuccessListener(new OnSuccessListener() {
@Override
public void onSuccess(FirebaseToken decodedToken) {
String uid = decodedToken.getUid();
// do bulk of processAndSaveToDB() method
})
.addOnFailureListener(new OnFailureListener() {
@Override
public void onFailure(Exception e) {
// throw unauthorized exception
});
return response;
}
235
Be sure your Firebase project is still selected. Click Create credentials > API key. Take note of the new API key, then click Restrict key. In the API restrictions section, select Restrict key, then add to the list only the Super Service API .
As a default Firebase database has no security, it's the development team's responsibility to correctly secure the database prior to it storing real data. In Google Firebase, this is done by requiring authentication and implementing rule-based authorization for each database table.
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.
Google ID token authentication Authentication with a Google ID token allows users to authenticate by signing in with a Google account. Once authenticated, the user has access to all Google services. You can use Google ID tokens to make calls to Google APIs and to APIs managed by Endpoints.
As this authentication task is running asynchronously in task queue, you can wait until that task is ended and continue in synchronous way, optionally you can add listeners onSuccess, onFailure and onComplete.
Task<FirebaseToken> authTask = FirebaseAuth.getInstance().verifyIdToken(idToken)
.addOnSuccessListener(new OnSuccessListener() {
@Override
public void onSuccess(Object tr) {//do smtg }
}).addOnFailureListener(new OnFailureListener() {
@Override
public void onFailure(Exception excptn) {//do smtg }
}).addOnCompleteListener(new OnCompleteListener() {
@Override
public void onComplete(Task task) {//do smtg }
});
try {
Tasks.await(authTask);
} catch(ExecutionException | InterruptedException e ){
//handle error
}
FirebaseToken decodedToken = authTask.getResult();
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
