Sharing Firebase authentication/token across two iOS apps

0
votes

I have an iOS app, App1, using a Firebase backend, and the user can sign in/create an account with using:

  1. Firebase account (email/password)
  2. Facebook (swap for Firebase credential after authentication)
  3. Google (swap for Firebase credential after authentication)

This works fine.

I have another iOS app, App2, using a Firebase backend, that allows a user to sign in/create an account using the exact same options as App1 (App2 uses the exact same core code App1 uses), and, in addition, a 4th sign in/create account option:

  1. Firebase account (email/password)
  2. Facebook (swap for Firebase credential after authentication)
  3. Google (swap for Firebase credential after authentication)
  4. Scan a QR code displayed on another device App1 is running on

To use option 4, QR code sign in, the user on App1 clicks a button, "Generate QR Code", the data for the generated QR code on App1 contains the Firebase credential uid and displayName.

This all works fine. App2 can read the data in the App1 QR code, App2 easily now has the uid and displayName for the logged in user on App1.

Now for the first problem I ran into on App2 when later trying to update the Firebase Database using the uid from the App1 QR code, Firebase error: "Permission Denied":

enter image description here

Understood, have to be authenticated, my Database rules clearly express this, I didn't know this prior to my QR code strategy of course:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

Yet, I do not want to switch my Firebase rules to Public, that would allow anyone access. So next I thought, no problem, I will just put the user entered email/password as data in the generated QR code on App1, my apps does not have high security concerns, then, when App2 scans the App1 QR code, App2 can just login into Firebase using the email/password it read from the data in the App1 QR code.

There is one problem with my solution, it will not work for users that sign into App1 with Google or Facebook. I will not have their email or password in this case.

Another solution I was pondering but I am pretty sure will not work for me, refer above to the Firebase "Permission Denied" is Firebase's signInAnonymously, this will not work for me because the Firebase user exists, that user signed in on App1, has their own uid, which is not the uid created by signInAnonymously obviously.

Another solution I am pondering is using NSUbiquitousKeyValueStore to share the Firebase credential from App1 with App2 but I am not sure what I will need in the Firebase credential to recreate it on App2. I think I would still have to call Auth.auth().signIn on App2 to create a new valid Firebase session on App2 even if I shared a valid Firebase credential/token from App1 via NSUbiquitousKeyValueStore...or other suggestions please...

1
iosobjective-cswiftfirebaseqr-code
Never, ever, EVER expose a users username/password. At least inform them about it if you do.Multinerd
@Multinerd stop with your dramaBrian Ogden

1 Answers

0
votes

Thanks to information here and here I realized I could add a Firebase account that had a "role" as an Administrator. This way, when I retrieve the uid and displayName from the QR code (the QR code must include the displayName in addition to the uid as you cannot retrieve it later even with full access to the Firebase database) I can just login as my Administrator Firebase account and I can write and read for the QR code passed in uid with the following database rule changes, please note I do have a "users" database I created and that is where I store my role:

{
  "rules": {
    "users": {
      ".read": "root.child('users').child(auth.uid).child('role').val() == 'admin'",
      ".write": "root.child('users').child(auth.uid).child('role').val() == 'admin'",
      "$uid": {
        ".read": "auth.uid == $uid",
        ".write": "auth.uid == $uid"
      }
    }
  }
}