Does anyone have the ability to create an account with my key? - javascript

EDIT : tried the authorized domain and it seems to be what i need, i'll try to go deeper with André's answer :)
Thank you !
Hi,
I'm new to firebase and i just finished a project but i had a question:
Since the doc says i have to put my api keys and else in the javascript, they are visible to anyone even if put into process.env
i've read here : Is it safe to expose Firebase apiKey to the public?
that making the api key public is normal and not a big deal.
I'm using the email/password auth and i'm scared
If someone takes my :
API_KEY_FIREBASE
AUTH_DOMAIN
DB_URL
PROJECT_ID
that are in the source code and use the createAccount function, is he gonna be able to create an account ?
Is yes, is there a way to disable this ?
I want to be able to create account only through the firebase console
I'm not using firebase database for my data, i only use it for auth so i don't have to create a user table in my database, but i use the IDTokens they provide to secure some routes on express.
thank you ! :)

Someone can only create an account when you have that option enabled in your firebase console. So If you have it disabled there is no problem.
You can look here in the "before you begin" section for how to enable/disable Email/password sign-in method.

Related

Creating A 'User Only' Section In A Firebase Site

I'm hoping to be able to create a section of a site that is unable to be read/seen by anyone that's not logged in... I am using Firebase and Javascript
I have read that you are unable to set permissions for files (.htmls ect) so i wont be able to block people from seeing the pages as a whole... Ive also read that this isn't the best practice anyway... So my question is...
What is the protocol for doing this sort of thing? And how can this be done in Firebase?
I have managed to create a user only page before from a tutorial, but this was just done by hiding the content of the page with Javascript and also blocking the permissions to the displayed data through Firestore permissions.
But I don't feel this is adequate for my site as I don't want people being able to read the code in the background or get access to the page at all to begin with.
I have also read that a way to go about doing this is to use Firebase Cloud Functions to check weather the user is logged in and if they are then it spits out the code for the pages from the google servers. Is this a good idea? Or is there a better way?
Any help, tips or insights would be greatly appreciated.
Just trying to get a feel for where to begin with this problem.
Hoping there is a solution.
Thanks
Yes, its a good practice hiding or preventing the UI to be rendered for unauthorize users.
Yes, its also a good practice setting the permissions accessing your data from the database.
You should also consider middleware, navigation guards or route guards for preventing unauthorized users to visit the restricted page. It would depend on the stack, or what frontend technology you are using. You can find whatever navigation guard you chosse. For vuejs there is vue-router. Also you can use firebase authState listener. Depends on your choice.
Use firebase auth to signInWithEmailAndPassword, or whatever your authentication method was. Then, you can check the auth state in onAuthStateChange, and set your new userId state:
// somewhere...
const [currentUserId, setCurrentUserId] = useState(null)
// later..
onAuthStateChanged(auth, (user) => {
if (user && user.uid) {
setUserId(user.uid)
}
});
// even later in this component:
return (<Layout userId={currentUserId} />);
// in wherever you have links, I assumed you passed currentUserId to here:
return (
currentUserId != null ? (Give content pls) : routeToLogin();
);
Something like this should be fine and secure enough. Noone is gonna go and flip a variable in your extremely obfuscated, transpiled javascript code generated by your bundler, and even if they did find a place to flip a variable, the code would probably throw an error anyway.
You could lazy load that certain page as well once authenticated, then the code for it it wouldn't even be loaded into the users disk until they've successfully signed in.

How to configure security to allow swagger url to be accessed only with authentication in nodejs

I have integrated swagger in node and it is accessible on http://localhost:3002/api-docs. But the swagger ui is publicly accessible. I want to add authentication/security to access this route. When user hits http://localhost:3002/api-docs, it should show popup/prompt to enter username/password. If username and password is correct then only user should able to see swagger UI.
Possibly like as seen in below screenshot
I am using swagger-ui-express, and this is my code that I m using
import swaggerUi from 'swagger-ui-express';
import * as swaggerDocument from './swagger.json'
....
....
app.use("/api-docs",swaggerUi.serve,swaggerUi.setup(swaggerDocument));
I searched on the internet but didn't got any solution. I found one solution but that is in spring.
Thanks in advance !!
You can plug in a basic-auth middleware (e.g. https://github.com/LionC/express-basic-auth) to protect the swagger-ui route. If you use express-basic-auth, make sure to set the challenge option in order to force the browser to open a prompt:
const basicAuth = require('express-basic-auth');
app.use("/api-docs",basicAuth({
users: {'yourUser': 'yourPassword'},
challenge: true,
}), swaggerUi.serve, swaggerUi.setup(swaggerDocument));

How to login a user using firebase authentication

I'm currently using firebase-admin to create a web Dashboard with node.js as a backend which will have multiple users and those users have user specific data in my database, note that I need them to be able to delete or add stuff to the database as well, I've managed to add new users to Autentication using firebase.auth().createUser() programmatically, but how would one go about logging in a user, and then from there controlling which uid is logged in and displaying his data (giving him access to the correct data, obviously don't want him messing with someone elses data).
I know this might seem like a really newbie question, and it probably is, but firebase docs always get me confused for some reason. Any tips? I'd greatly appreciate.
Any questions don't hesitate.
To login a new user, try this:
firebase.auth().signInWithEmailAndPassword(email, password)
this returns a Firebase.Promise which you can use to track the operation progress. If successful, it will return the corresponding Firebase.User object.
From there, the logged-in user will also be available in the firebase.auth().currentUser property. You can then use the user's uid property as a key for his JSON branch on the database.

how to get account details when integrating plaid api

I am actually trying to integrate Plaid api for ACH payments and following "https://plaid.com/docs/link/" tutorial in Ruby. In this I have written the js code and it shows me pop up to select bank accounts.
I am using it in sandbox mode in which I am using test credentials to verify the account and it successfully verifies the account. For server side scripting I have installed plaid gem and configured it using following code into my_app/config/initializers/plaid.rb
Plaid.config do |p|
p.customer_id = 'test_id'
p.secret = 'test_secret'
p.environment_location = 'https://tartan.plaid.com'
end
where I have replaced the customer_id and secret key with my own. I am using a user controller in which under create method I am trying to create a user like this:
user = Plaid.add_user('auth', 'plaid_test', 'plaid_good', 'usaa', '1234')
Now I am confused how would it work.
I am trying to create a server side handler using ruby but I dont understand where I am lacking (as I am new to Ruby). I actually want that after successfully validating credentials there should be an option to select account like in the given demo
https://demo.plaid.com/stripe
I really need help as I am badly stuck in this from last three days. Any help would be appreciated. Thanks
Plaid Link returns a 'public_token' - you'll need to use the /exchange_token API endpoint to exchange the public token for an API access token.
The plaid-ruby library has a detailed example of the exchange token flow!

Login and pay with Amazon integration issue

So, I'm trying to integrate the Login and Pay with Amazon widget, and I'm encountering some problems.
So, I have my seller account all set up on
https://sellercentral.amazon.de/gp/
I have access to my API credentials, and I need to get a LWA client.
So, I have registered on
https://sellercentral.amazon.com/gp/homepage.htm
in order to create an application. I have set up the application, on web settings I have completed the required URL's, and got my client ID.
In the js for the Login and Pay with Amazon widget, I have replaced all the info needed: Client Id, merchant Id etc.
But when I try to make a test login, I receive the following error :
400 Bad Request Unknown client_id
The Pay With Amazon documentation is not very clear, and I can't seem to find anywhere a list with the error codes.
If anybody has an idea, let me know.
Thanks!
you should create your Login with Amazon application using https://sellercentral.amazon.de instead of the .com site. They are separate accounts.
It sounds like you're missing this piece of code:
window.onAmazonLoginReady = function() { amazon.Login.setClientId('CLIENT_ID'); }

Categories