Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Verify clients Firebase token at node.js server

Tags:

node.js

firebase

I'm implementing a node.js server using express.js for REST and Firebase for data storage.

I have read Using NodeJs with Firebase - Security, and it could be implemented in this manner, but in my case I need to send data to server and server must return a redirect address, so using firebase as communication channel is a bit complex.

I'm currently verifying clients identity at server by sending a Firebase auth token as query parameter and checking authorization with firebase auth() method.

dataRef.auth(CLIENT_TOKEN, function(error) {
  if(error) {
    console.log("Login Failed!", error);
  } else {
    console.log("Login Succeeded!");
  }
});

The problem is, that in server I also need firebase "admin" privileges. To achieve this, I need to authenticate again using firebase auth() using admin token. (generated by firebase-token-generator)

var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);
var token = tokenGenerator.createToken({some: "arbitrary", data: "here"});

I noticed that there is a limitation in auth() method:

Note that all references to a Firebase share the same authentication status. So if you call new Firebase( ) twice and call auth() on one of them, they will both be authenticated.

Is there a way to implement this without calling auth() twice?

Or are there better solutions to do this?

like image 398
Tola Avatar asked Sep 18 '13 04:09

Tola

1 Answers

Based on comments and after the implementation, it seems the best solution is to use generic JWT library, such as: https://github.com/hokaccha/node-jwt-simple

With the help of library, you can decode the token with the firebase secret:

// decode
var decoded = jwt.decode(token, secret);
console.log(decoded); //=> {"v":0,"iat":1359943067,"d":{"id":"user@fb,com"}}

Decoded token contains iat (issued at) and may contain exp (expires). If exp is not provided, the default expiration time for firebase token is 24hours. You need to check if the token has been expired.

More details at: https://www.firebase.com/docs/security/custom-login.html

like image 76
Tola Avatar answered Oct 15 '22 05:10

Tola
Sign in to Comment

Related questions

WebRTC Data Channel server to clients UDP communication
Why cant I inline call to res.json?
Node.js Server running from a sub folder
Best place to handle data validation with mongoose and express
check is nodejs connection come from localhost
Error: write EPIPE with node.js and imagemagick
Trying to post multipart/form-data with node.js supertest
Node.js - Programmatically Connect to a VPN or route HTTP Requests via VPN
npm install using pre-release versions
create-react-app + nodejs (express) server
How do Node's bcrypt and bcryptjs libraries differ?
npm audit Arbitrary File Overwrite
@angular-cli install fails with deprecated [email protected]: request has been deprecated (mac)
Node.js and V8 garbage collection
What is the best way to generate a login token? Is this method of authentication vulnerable to attack?
Is it possible to make JavaScript module compatible with both NodeJS and RequireJS?
Mongo DB - sub-collections?
How do I invoke other tasks from my custom task *before* my task code runs?
mongodump/mongorestore from NodeJS or mongoose
How to test endpoints protected by csrf in node.js/express

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!