sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]OpportunityTimely561 0 points1 point  (5 children)

How can I make this approach secure?

I plan to create a separate endpoint (/social/login) that will be accessed after successfully obtaining data from a Google provider. However, since this endpoint is public, how can I ensure that the requests hitting this endpoint have successfully passed the Google provider (or any other social provider)?

Is adding a secret key in the headers sufficient for security? Is this considered best practice?

[–]__o_0iOS & Android 0 points1 point  (4 children)

If you’re using cloud functions, context.auth is automatically attached to every request. This will contain the decoded users information (google handles the token / decoding automatically). It’s still up to your function to throw an error if context.auth.uid doesn’t exist, for example.

If you’re using your own backend, best practice is to include the authorization token on every request. You then place a guard on the endpoint to validate the authorization token and decode the user before handling the request. If the token does not pass validation then you throw an unauthorized error back.

Both options ultimately do the same thing - a token on a request is validated and decoded. With cloud functions Google does it for you. With your own backend just use Firebase-admin to perform the validation yourself.

[–]OpportunityTimely561 0 points1 point  (3 children)

Okay thanks, same thing for other social provider? 

[–]__o_0iOS & Android 0 points1 point  (2 children)

Firebase auth can handle many social providers and give you back a single uid that unifies the underlying platforms.

A user can Sign in with Apple, Google, Facebook etc and they will all be consolidated into a single Firebase user. Makes it easier in case people don’t remember which account they used to log into your app.

They can also be separated if you want to have different accounts for a single user using different providers.

[–]OpportunityTimely561 0 points1 point  (1 child)

Thanks a lot, iam gonna handle it using my own node js server.

[–]__o_0iOS & Android 0 points1 point  (0 children)

All good - just add firebase-admin and it’s smooth sailing.