Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to safely use Firebase Auth on a PHP web app

Tags:

javascript

php

firebase

firebase-authentication

I am building a news website on with PHP and MySQL. For user management, I'm considering using Firebase Auth.

The login, password, email confirmation, etc, will be managed by Firebase. This part was easily achieved using the docs in Javascript.

But at one point the web app needs to know the email of user, for example, to manage the content and allow access to restricted areas, connecting to the MySQL DB using PHP.

Firebase Auth uses JavaScript to find out the email for example:

      firebase.auth().onAuthStateChanged(function(user) {

                var user = firebase.auth().currentUser;

                if(user != null){

                  var email_id = user.email;

                }
        }

How can I safely get the user email logged in on the session and send to the server side using PHP? How can I safely be sure the session expired and let the app know about that using PHP? Is this approach recommended (Firebase Auth + PHP website)?

Thanks!

like image 882
tomDev Avatar asked Aug 15 '18 19:08

tomDev

People also ask

Can Firebase be used with PHP?

Q: Can I use Firebase with PHP? A: Yes, Firebase provides a comprehensive API for integrating the platform with your PHP projects.

Is Firebase authentication safe?

As a default Firebase database has no security, it's the development team's responsibility to correctly secure the database prior to it storing real data. In Google Firebase, this is done by requiring authentication and implementing rule-based authorization for each database table.

Does Firebase Auth use JWT?

Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.

1 Answers

To securely know what user is accessing your web site, you:

  1. retrieve the ID token of the user on the client
  2. securely send the resulting JWT to your back-end
  3. decode and verify the ID token on your back-end

Ideally you'd use the Firebase Admin SDK for that last step. But unfortunately there is no official Firebase Admin SDK for PHP (yet). There is a third party library that seems to support validating ID tokens in PHP, but I never tried that myself. Of course, JWT is a well-defined standard, so there are support libraries for many languages on https://jwt.io/.

like image 144
Frank van Puffelen Avatar answered Oct 11 '22 02:10

Frank van Puffelen
Sign in to Comment

Related questions

How to animate list items in Vue when one is removed
Can I fetch a Readable Stream then convert to JSON client side?
Accordion inside a form auto submits
Angular: How to do Credit Card Input?
Babel installation - src doesnt exist
Why does my empty object literal log as false?
npm argument results in "Insufficient number of arguments or no entry found"
Angular 4 dblclick event not working in mobile view
How to check if route matches a pattern with React-Router v4?
Draw d3-axis in react-native
ReactJS: TypeError: Cannot read property 'map' of undefined
Open layers maps, with longitude and latitude get address
Bootstrap 4 Carousel: Individual data-interval on each slide
create "TouchableOpacity" for ReactJS without using react-native-web
how to do javascript await on user input in an async function
Rearrange grid items within resized container keeping one tile constant
Transparent Swipeable drawer Material-UI
iOS 11.4 Safari not respecting 'touch-action: manipulation'
Vuetify navigation drawer issue
Run VueJS app on Localhost

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!