Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to pass Firebase Auth Token from client to server?

Tags:

authentication

firebase

firebase-authentication

The website that I'm working on uses Firebase authentication and different users that login have different permissions as to which pages they can visit.

The way signing in is setup is similar to this post:

  1. User Logins in with two parameters - "id" and "email"
  2. Server uses these to create a custom "uid", then uses the Firebase Admin SDK to create a custom token that is sent back to the client.
  3. The client logs in with the Javascript Firebase SDK - firebase.auth().signInWithCustomToken()
  4. Now that the user is logged in, they can click different pages - i.e. '/foo', '/bar'

The issue I'm running into is that when they visit new pages, I'm trying to pass the token from the client back to the server (almost identical to how its done in this Firebase Doc ), verify the token & check if it has permission to view the webpage.

I'm trying to figure out the best (& most secure) way to do this. I've considered the following option:

  • Construct a URL with the token, but I've heard this isn't good practice because the token is getting exposed and session hijacking becomes a lot easier.

I've been trying to pass the token in the request header, but from my understanding you can't add headers when the user clicks on a link to a different page (or if its redirected in javascript). The same issue applies to using POST.

What can I do to securely pass this information to the server and check permissions when a user clicks on a link to a different page?

like image 332
wolverine239 Avatar asked Apr 03 '17 22:04

wolverine239

1 Answers

You can get the accessToken (idToken) on client side by:

var accessToken = null;

firebase.auth().currentUser
    .getIdToken()
    .then(function (token) {
        accessToken = token;
    });

and pass it in your request headers:

request.headers['Authorization'] = 'Bearer ' + accessToken;

and on your server side get the token with your prefered method and authenticate the request with Firebase Admin SDK, like (Node.js):

firebaseAdmin.auth()
    .verifyIdToken(accessToken)
    .then(decodedIdToken => {
        return firebaseAdmin.auth().getUser(decodedIdToken.uid);
    })
    .then(user => {
        // Do whatever you want with the user.
    });
like image 155
mehyaa Avatar answered Oct 25 '22 12:10

mehyaa
Sign in to Comment

Related questions

"Hostname match not found" error in firebase phone authentication(with ionic)
Sharing session across rails apps on different subdomains
SourceTree asks password for SSH authentication at each restart
How to authenticate iOS/iPhone users with remote web application and re-use authentication ticket in future requests to the same web application?
How to protect RESTful API
Make Web API authentication return 401 instead of redirect to login page
JWT authentication in SignalR (.NET Core) without passing token in Query String
OpenId via Curl
RESTFul Authentication with WebAPI
NodeJs Passport isAuthenticated() returning false even after login
Win32: How to validate credentials against Active Directory?
How to authenticate an RSS feed
nginx auth_basic "Restricted" prompting login on every request
Best practice to organize authorization in microservice architecture?
ASP.NET Web Site + Windows Forms App + WCF Service: Client Credentials
Create Account, Forgot Password and Change Password
Restrict firestore access to admin-sdk
How can I get browser authentication popup?
ASP.NET Web API authorization and Authentication
Is there a OAuth2 library for Java / Android already? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!