How to create a secure API using Firebase Auth without installing Firebase SDK on the client

1
votes

I'm trying to create an API for our app using Express.js endpoints that connect to our Firebase Cloud Firestore database. A main component of responding with the requested information securely is authentication, and we want to be able to make it as straight forward to the users as possible. For example, by them simply sending an API secret key on their requests.

My issue is that all of the authentication mechanisms that Firebase seem to provide require that the client is authenticated with the Firebase SDK, which would be uncomfortable for us to ask users to install.

In short, is there any way that they can either create a firebase token without the SDK or for us to authenticate them securely with an API key on our end? Note that the connection to our API would only be done through our user's back ends, never front end clients.

Thanks!

1
node.jsrestfirebaseauthenticationfirebase-authentication

1 Answers

1
votes

See:

Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.

To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS, Android, web). Once authenticated, this identity will be used when accessing other Firebase services, such as the Firebase Realtime Database and Cloud Storage. Furthermore, the contents of the JWT will be available in the auth object in your Firebase Realtime Database Security Rules and the request.auth object in your Cloud Storage Security Rules.

You can create a custom token with the Firebase Admin SDK, or you can use a third-party JWT library if your server is written in a language which Firebase does not natively support.