Firebase simple authentication with email/password

4
votes

I'm new to Firebase and I'm attempting to set-up a simple authentication system using e-mail/password. The initial concept is simple: you register. Then, after logging in, you can access the rest of the mobile app.

In the past, I could set this up with PHP in just a few minutes. But with Firebase, this has become a battle that I can't seem to win.

Using the light documentation found on Firebase's site, I was finally able to successfully register and authenticate a user. Great.

Unfortunately, people can still access the rest of the app whether they are logged in or not. How do I keep the app protected from non-authenticated users?

Also, how do I associated data submitted on a page with an authenticated user?

I've looked at Firebase's documentation. It lacks practical examples for authentication. It keeps referring me to the Firefeed app as a sample. I've looked at Firefeed's code and the authentication system seems 1) excessively complicated for a login system and 2) too intricately tied in to news feeds to be a practical example to learn from.

On the other hand, perhaps I'm just missing something obvious and fundamental. If someone could point me in the right direction, that would be great. Thanks! :-)

(By the way, I tried e-mailing this question to [email protected], as suggested on Firebase's site... but the group does not appear to exist, according to the bounce-back message from Google.)

2
firebasefirebase-security
Regarding the Google Group, please double-check the address you sent to. It looks correct in your post above, but note that the group is still active and available at https://groups.google.com/forum/#!forum/firebase-talk.Rob DiMarco
I sent it to this address (copy/pasted): [email protected] And here is the response from Google (also copy/pasted): "We're writing to let you know that the group you tried to contact (firebase-talk) may not exist, or you may not have permission to post messages to the group. A few more details on why you weren't able to post:" Not sure why it didn't work when clearly, as you indicated by your link, it exists.mrbranden
By the way, is there a reason my question was down-voted?mrbranden
Did you bother to search this site? stackoverflow.com/questions/15167981/…JeffO
It's more of a rant and less of a question. Try following these guidelines stackoverflow.com/questions/how-to-askKelly J Andrews

2 Answers

10
votes

Stepping back for a moment, it's worth noting that Firebase Simple Login is an abstraction built on top of Firebase Custom Login for convenience. You can still use your existing authentication with Firebase using Custom Login, if you like.

Firebase Simple Login eliminates the need for you to run a server just for authentication. However, there is no 1-to-1 parallel to the PHP example where the server would govern request access based upon a detected session on the server because all of your logic, templates, etc. lives in client-side code.

In most cases, your client-side logic, templates, assets, etc. will be static and public. What you're really looking to secure is user and application data, and this is where Firebase Authentication (whether using Simple Login or Custom Login) comes in. Firebase Authentication is essentially token generation - taking confirmed, identifiable user data and passing it securely to Firebase so that it cannot be spoofed.

Read / write access to different paths in your Firebase data tree is governed by Firebase Security Rules, which allow you to write JavaScript-like expressions to control which clients can access which data.

Here's an example:

Suppose you have a user list, where each user is keyed by user id, such as /users/<user-id>/<data>, and you want to ensure that only the logged in user can read / write their own data. With Simple Login, this is really easy!

Looking at the After Authenticating section of Email / Password authentication docs, we see that the auth variable in our security rules will contain a number of fields after authenticating, including id, the user's unique user id. Now we can write our security rules:

{
  "rules": {
    ".read": false,
    ".write": false,
    "users": {
      "$userid": {
        ".read": "auth != null && auth.uid == $userid",
        ".write": "auth != null && auth.uid == $userid"
       }
    }
  }
}

What's going on here? Firebase Authentication (using Simple Login) securely generated a token containing your verified user data upon login, and that token data becomes available in your security rules via the auth variable for the connection. Now, in order for a client connection to read or write to /users/xyz, the user must be authenticated and authenticated as user xyz.

Most of the above is covered in the Security Quickstart but it is admittedly a little hard to wrap your head around.

Back to your initial question, if you want to redirect away from certain paths when a user is not authenticated, you can do the following:

var ref = new Firebase(...);
var auth = new FirebaseSimpleLogin(ref, function(error, user) {
  if (!user) {
    // we're logged out, so redirect to somewhere else
  } else {
    // we're logged in! proceed as normal
  }
});

Hope that helps!

2
votes

Please note:

Login is now a core feature of Firebase. Simple Login has been deprecated and documentation for this client is now available on Github.

See this page for more info: https://www.firebase.com/docs/web/guide/user-auth.html