I am running a web app with Firebase redirect authentication.
When the user is returned to the web app, the web app initializes once more while the authentication redirect is pending.
This state can be seen in the browser session storage, like this:
{firebase:pendingRedirect:AIzaSyCMM24e1XAkOQD-wo_TnoaFNXFzFk93sj8:[DEFAULT]: '"true"'}
I want to retrieve this item in an idiomatic way. Right now I am using this util:
function getAuthRedirectIsPending() {
for (let i = 0; i < sessionStorage.length; i++) {
const key = sessionStorage.key(i)
if (
key?.startsWith('firebase:pendingRedirect') &&
sessionStorage.getItem(key) === '"true"'
) {
return true
}
}
return false
}
But I also noticed that this key exists on the firebase auth object, albeit inaccessible:
{
"persistenceManager": {
...
"fullUserKey": "firebase:authUser:AIzaSyCMM24e1XAkOQD-wo_TnoaFNXFzFk93sj8:[DEFAULT]",
"fullPersistenceKey": "firebase:persistence:AIzaSyCMM24e1XAkOQD-wo_TnoaFNXFzFk93sj8:[DEFAULT]"
}
I was wondering if there was a way to retrieve the persistence redirect key name from Firebase, then using it to access the window session storage?
Firebase Authentication Persistence Manager uses the Web Storage API to store user authentication tokens. The Web Storage API is a simple key-value storage system that provides two types of storage mechanisms: session storage and local storage.
The session storage is a temporary storage mechanism that is cleared when the user closes the browser window or tab, while the local storage persists even after the user closes the browser window or tab.
Firebase Authentication Persistence Manager stores the user authentication tokens in the local storage, and the keys for the local storage are accessible through the browser's developer console.
To access the Firebase Authentication Persistence Manager keys, follow these steps:
Open your web application in your browser and navigate to the authentication page.
Open the browser's developer console by pressing F12 or right-clicking on the page and selecting "Inspect."
In the developer console, select the "Application" tab.
In the "Application" tab, expand the "Local Storage" option.
Look for the Firebase Authentication Persistence Manager keys. The keys are named "firebase:authUser" followed by your Firebase project ID.
Click on the key to view the stored value, which will include the user's authentication token.
Note: Accessing the user authentication token may not be necessary in most cases, as Firebase Authentication provides methods to manage user authentication state without directly accessing the authentication token. Additionally, manipulating the authentication token can be dangerous and could compromise the security of your application.
Related
I currently have an iframe which i embeed in my site, in a chrome extension and in 3rd party sites.
The problem is the following:
I'm populating parts of my iframe with firebase data.
In my site, i embeed my own iframe and is protected by a firebase token (the views), i don't know exactly how it works, but it returns the data correctly when calling the DB.
Example:
getData(
reference: string,
){
const ref = `accounts/${reference}`;
const dataReturn = this.db.object(ref).valueChanges();
return dataReturn;
}
This returns just fine on my webapp, when the user logouts in my webapp, then the data is protected (as it has to be)
The problem begins here: When a 3rd party embeeds my iframe, they use an oAuth token (to get users, etc from my API), so they're not logged in my website, hence, when they embeed and try to get the data (automatically, since we call firebase onInit), they get blocked by firebase because they don't have a valid token/they're not authenticated in my website.
Is there a way to use that oAuth token to let them get the firebase data?
Same escenario happens in the chrome extension, we make the user log-in using an oAuth token (to prevent making an account and logging in in our webapp, preventing CORS issues).
These are my rules in realtime database firebase:
"accounts": {
".read": "auth !== null",
".write": false,
}
Thank you!
If the OAuth token is from a collaborator on the Firebase project and that collaborator has access to the Realtime Database, the client will have that same access to the database too.
Their API calls will in that case bypass the security rules of your database, just as when the collaborator would sign in to the Firebase console and access the database there.
Ok.. so for anyone wondering.. a coworker resolved this issue by sending the oAuth token to our backend, and returning from there a valid firebase token. With that token, we just sign-in with signInWithCustomToken() firebase function (of course applying logic so just oAuth users can actually use this automatically). That way my users have access to realtime database since they're authenticated in firebase
Making a AWS Cognito user session persistent in Electron
AWS Cognito stores the current user session in the localStorage. While the user session is present in localStorage after the user has logged in, localStorage isn't persistant in Electron - so when the application restarts, the user session is gone and the user has to log in again. Normally the user session would be recieved from localStorage, since it is persistent in browsers.
I know that one can use electron-json-storage to store data persistantly in Electron and generally in node applications, but since AWS cognito uses localStorage, I am only able to use an approach that would change localStorage into being persistant, i.e redirected to a file storage.
I have tried node-localstorage which works, but cognito still uses the localStorage from the browser, even when global.localStorage is set.
I know that the userPool can be passed a {Storage: ...} object to use that as storage, but it still used the original localStorage, when I passed the node-localstorage to it.
TLDR;
How can I make the AWS Cognito user session persistent in electron?
If possible, can I replace localStorage with node-localstorage globally, so that AWS Cognito will use it?
Cognito will be giving you three tokens idToken, accessToken and refreshToken
A simple idea will be to save the refreshToken in your localstorage that you think is persistence. and on electron app start use that refreshToken to authenticate user user on Cognito.
I am building a admin panel for a android app in javascript and php in which i created a users table with Firebase Authentication UID so every user key is UID but in this user table i am not inserting Auth Identifier. now in my admin panel how can i retrieve Auth Identifier (Phone Number) using UID(user Key)
An alternative to storing the data in the database (as Qasim answered) is to use the Firebase Admin SDK to look up the user's profile by its UID.
The Firebase Admin SDK runs with administrative privileges, and thus can perform certain sensitive operations that the regular client-side SDKs are not allowed to do. As such, it is meant to be only run in trusted environments, such as your development machine, a server that you control, or Cloud Functions for Firebase. With these last two you could create your own API, that your admin panel then calls. Just be sure to secure the API, because otherwise you're leaking user information.
You can only get the firebase authenticated User info from the current session/user, and if you need to query for it later then you need to save it in your own datastore.
For more details, see this https://www.firebase.com/docs/web/guide/user-auth.html#section-storing
We have a native Android app where we are using the the latest version of the Cognito SDK to authenticate the user.
The problem we have is that the Android app uses a Web view and in this web view we will need to fetch the current cognitoUser with its authenticated session.
We are using the latest Cognito javascript sdk in the web view.
How do we share the auth between 2 clients that uses the same user pool?
Update 04/10-2017
I managed to bypass this by sending everything Cognito related i had in my local storage as query string parameters. Then "in" the webview i saved the settings to that local storage.
It is not right but it works ;)
I believe this is not possible. The web-view has its own storage that is not shared with the device storage.
So the user context - users tokens, login state etc - is not shared between the webview and the Android SDK on the device
I have now been in contact with persons that are experienced working with Cognito.
The judgment was that we can bypass this by sending all Cognito related values as query parameters to the application behind the web view.
The application in handling the web view will then take all those values and save them to local storage.
Problems I had:
I found out that if you have multiple Clients you will have to pass the clientId of the application behind the web view.
I am creating chrome app, I would like my users to login or create a user when they first enter the application.
The goal:
Maintaining login state on chrome packed app.
The problem:
Cookies - Chrome packed app have no cookie API, meaning that "document.domain" exists,
But you can't set cookies, at least not using http request.
Extension- There is not access to browser extensions (for a non-sandbox pages)
Couldn't think on other solution, Any idea?
You could store the session id in the application storage via chrome.storage.local.set chrome.storage.local.get methods.