Getting firebase realtime database sending an oauth token (Angular iframe) - javascript

I currently have an iframe which i embeed in my site, in a chrome extension and in 3rd party sites.
The problem is the following:
I'm populating parts of my iframe with firebase data.
In my site, i embeed my own iframe and is protected by a firebase token (the views), i don't know exactly how it works, but it returns the data correctly when calling the DB.
Example:
getData(
reference: string,
){
const ref = `accounts/${reference}`;
const dataReturn = this.db.object(ref).valueChanges();
return dataReturn;
}
This returns just fine on my webapp, when the user logouts in my webapp, then the data is protected (as it has to be)
The problem begins here: When a 3rd party embeeds my iframe, they use an oAuth token (to get users, etc from my API), so they're not logged in my website, hence, when they embeed and try to get the data (automatically, since we call firebase onInit), they get blocked by firebase because they don't have a valid token/they're not authenticated in my website.
Is there a way to use that oAuth token to let them get the firebase data?
Same escenario happens in the chrome extension, we make the user log-in using an oAuth token (to prevent making an account and logging in in our webapp, preventing CORS issues).
These are my rules in realtime database firebase:
"accounts": {
".read": "auth !== null",
".write": false,
}
Thank you!

If the OAuth token is from a collaborator on the Firebase project and that collaborator has access to the Realtime Database, the client will have that same access to the database too.
Their API calls will in that case bypass the security rules of your database, just as when the collaborator would sign in to the Firebase console and access the database there.

Ok.. so for anyone wondering.. a coworker resolved this issue by sending the oAuth token to our backend, and returning from there a valid firebase token. With that token, we just sign-in with signInWithCustomToken() firebase function (of course applying logic so just oAuth users can actually use this automatically). That way my users have access to realtime database since they're authenticated in firebase

Related

How to properly use firebase in js, without exposing database to users?

I am trying to use firebase with firebase hosting (node js backend) to let logged-in users upload a file.
I let users log in using email and password. The file should be uploaded to firebase storage with its details (provided by the user through a form) to be stored in firebase database.
I am successful in doing this using firebase in js(client-side).
However, with firebase at the client side, anyone can write any javascript code to do anything with firebase db, storage, and even they can create a new users directly which is very bad.
My DB security rule:
".read": "auth != null",
".write": "auth != null"
I couldn't find any helpful content regarding this. Even in the official sample code by Google (for js) is implemented in a similar way.
So, how should I properly use firebase in js without the above problems or should I even use it?
Should I shift everything to node.js backend? But then how do I get the file uploaded by the user in node js?
You have two options.
Correctly implement security rules for mobile and web clients directly accessing your database and storage. There are security rules available for Realtime Database, Firestore, and Cloud Storage.
Move everything to a backend, where your client should pass along a Firebase Auth ID token with every request, validate it using the Firebase Admin SDK, and only perform the operation if that user is allowed, by whatever logic you choose.
It's up to you to decide which option is better for your specific use case.

Securing API calls without token

I'm building an app and an API endpoint using PHP(I know what you thinking!). My issue is that if I ask user for username and password on opening the app for the first time, since I can't store these details locally because they could be compromised. I'd send these through Post request to server then generate a token depending on whether the user is the right one. After getting response I must store this token locally right?
Yes!. there's expiration for the token. After the token is expired, I don't want to ask user for their name and password but want to access API still authenticating as that user. How will I do this?
If I use Oauth it's still the same procedure right? I should store something locally. won't that be compromised? I'm very confused.
How does other apps work. I'm sure they doing something in the background. They ask us for credentials only once and all subsequent API calls will be secured. Won't the token expire in that case or what?
Can i secure API calls without storing anything locally? I don't want API to be accessed from anywhere else but app.
Use android SharedPreferences. It should be very secure unless you deliberately expose it e.g. its accessible via an exported content provider missing the (android:exported="false") in the manifest. You can also use sqlite but there is no point of using a db table for one or two rows of data.You can also encrypt the user name and password to add one more security layer to protect rooted users.
Furthermore to protect the data in the network you should use ssl in the backend so no one can sniff the credentials.

Reusing Google Api Bearer Token to access user's Drive

I have the following:
gapi.auth.authorize(
{ client_id: CLIENT_ID, scope: SCOPES, immediate: false },
handleAuthResult);
Which gives me access to an access_token:
The goal is that a user of this application can grant access to my app to use their google drive to store their content. I need to be able to use this token to:
Read files
Post files
Over a long period of time without reauthenticating via the google login page. How can this be achieved? I'm using C# as a backend.
You will need to switch from doing OAuth in JavaScript in the browser to doing OAuth on your server. It's well documented here https://developers.google.com/identity/protocols/OAuth2WebServer
You have the choice of using the OAuth c# library, or simply calling the REST endpoints.
To achieve access without the user present, you'll need access_type=offline which ...
Set the value to offline if your application needs to refresh access
tokens when the user is not present at the browser. This is the method
of refreshing access tokens described later in this document. This
value instructs the Google authorization server to return a refresh
token and an access token the first time that your application
exchanges an authorization code for tokens.
You will then get a Refresh Token on the first time the user grants permission. You will need to save this Refresh Token in some sort of server datastore. You can then use it at any time to request an Access Token.

Unable to decode Firebase JWT

I am creating a web application and I want to implement Firebase authentication and help users to login using Google, Facebook or Twitter.
Users login using Firebase on my website I receive login information in my Javascript.
As per Firebase documentation, instead of passing UID received in the JS, I send the token id to the backend server so that it can authenticate the source and retrieve the user id.
I use PHP-JWT to check and validate the token returned by Firebase. However, the Key ID in the header is not matching with any of the Key ID defined in https://www.googleapis.com/robot/v1/metadata/x509/securetoken#system.gserviceaccount.com where, as per the verification document, is where I can find the public keys.
Can you print out the 'iss' and 'exp' fields in the Firebase token payload when your server can not validate the token? The issuer ('iss') should start with https://securetoken.google.com/, and the issued time ('iat') should be 1-2 seconds earlier than your system time when your server received the token.

Yammer authentication - check if token is valid

I'm using Yammer JS SDK to authenticate users to access some web service. I'm using JS SDK to obtain a token and I store it in session. Current flow is following (may be wrong, correct me, if necessary):
User accesses any page, PHP is checking for token stored in session vars. If not - user is redirected to login page
Using Yammer SDK I'm getting an access token and save it to session vars (POSTing it to our server side login service) and render the requested page.
Problem so far - I can't find any way in Yammer API to check if the access token stored\passed to my web service is actually the right thing. Which means, that potentially anyone can generate some random gibberish data, use that as a token and view content - the rest of Yammer functionality will be broken, but content will be visible.
The smartest way I thought of so far is to try and get some client info from Yammer REST API using the token and if response is invalid - delete the session stored token.
How do I do that the proper way?
Checking for HTTP status code 401 Unauthorized Access on a request is the only way I know of to determine if your Token is valid. There are a couple instances where you will get a 401 back with a valid token, but this is pretty rare.

Categories