Should Firebase Auth with Javascript use HTTPS - javascript

First time I've begun using firebase with a JavaScript project:
firebaseAuth.signInWithEmailAndPassword(creds.username, creds.password
Since it is connecting to Google via websockets, will the website need to be served over HTTPS to avoid a security vulnerability?

Since Firebase Auth makes a request to Google's backend servers, it does so over HTTPS and no email/password data is unencrypted in flight. You should still strive to use HTTPS on your own system, and if you're using Firebase already Firebase Hosting offers free static web hosting with SSL provisioning on your own domain.

Related

Use RESTful API with and without JWT authentication

I have a web application with Angular front-end and a back-end developed using the Nest.JS framework.
The back-end RESTful API endpoints are secured with an SSO and JWT authentication.
Using the same web application I created a desktop application with the help of the NW.JS.
The application setup is successful and can run on the desktop OS.
Now I need to use the same back-end RESTful API endpoints without the SSO but with JWT for the desktop application.
In some situations (ex. checking for updates), I only need to use the SSO login.
How can I use the Nest.JS server endpoints for this kind of use cases.
Is there a conditional way to write annotations/middleware that we can use to check the app is running on WEB or Desktop and bypass the SSO login?
Also this should be a much secure way to protect the endpoint in both situations.
NOTE: Identifying the running environment is also has configured and running well in the application.
Thank you very much

Can I use firestore npm library from my express app?

I've come up with this library that I am using on my node.js web server as a nosql database, alternative to mongodb.
I've seen this quote:
Applications that use Google's Server SDKs should not be used in end-user environments, such as on phones or on publicly hosted websites. If you are developing a Web or Node.js application that accesses Cloud Firestore on behalf of end users, use the firebase Client SDK.
Does this mean I shouldn't use it on my node.js server express app to access the database, or it's just from the served content as web browser scripts.
If the code that uses the Admin SDK runs on the server, then that in itself doesn't introduce a risk of leaking the credentials to an untrusted environment. It of course still depends on what your code does, but there's not much we can say on that based on what you shared.
That also still leaves concern on what the code actually does. The Admin SDKs access Firebase with administrative privileges, and are not affected by any security rules you may have set on your database. So while client-side SDKs can only access data that the security rules allow, Admin SDKs can access all data - no matter the security rules.
So if you load data through the Admin SDK that you present to the user, it is up to your code to ensure you only share data that the user is authorized for.
If you are using directly to firebase from client (react, vue) use https://www.npmjs.com/package/firebase
but, if you are building api use https://firebase.google.com/docs/admin/setup/

Angular and Spring rest api communication over https

I have frontend written in angular and backend written in Spring. I bought hosting and there I installed tomcat where im deploying my production backend. Im deploying frontend under domain folder on my hosting service.
Spring has jks certificate. I added this jks certificate to connectors in server.xml.
Angular has let's encrypt certificate which was generated for my domain "spotmapa.pl".
Now i have this situation:
On desktop google chrome my domain seems "not secure" and when this website makes api calls for backend it does it correct.
But in for example firefox my domain seems secure and has padlock but api calls to backend not working from there.
My api calls to backend from postman works properly, but doesnt work from secured by lets encrypt website.
I dont get any errros in logs.
I have two questions:
Should i have the same certificate for backend and frontend?
Why does unsecured origins make api calls right, but secured website https://spotmapa.pl no?
Frontend with lets encrypt was calling api secured by selfsigned certificate. This caused problem. I did lets encrypt for the backend too and it works correctly.

HTTPS on localhost for OAuth for a desktop application

I am creating a desktop application that using Spotify's oauth api. I am using the implicit grant flow described here: https://developer.spotify.com/web-api/authorization-guide/#implicit_grant_flow
My idea is to have an "Authenticate" button, that you click and it opens your browser. You login/approve the connection with Spotify. Then it sends you to a redirect url.
I want to set this redirect url to 127.0.0.1:58212 or some port on the loopback device.
My question is, should I use https for this?
I am leaning towards yes. One because the access token needs to be secure, and I believe other users on the system could potentially read the message when it is sent, and two because in the time it took the user to log in, someone could have taken over the port.
So I want SSL for encryption of the message, and I want to ensure I am actually talking to my app.
How do I generate certificates in this situation? I think each instance of the application needs to have its own certificate, and I need to somehow inform the computer to trust that certificate during the lifetime of the application.
I could also generate the certificate during installation, and do some step during installation that makes the system trust that certificate.
Am I thinking about this the correct way, or am I going about this all wrong?
I am using electron and express in JavaScript to write my application.
Thanks for any advice.
The best way to securely use Oauth with installed applications such as desktop applications is to use the Oauth 2 flow for installed applications. But this option would have to be implemented by the service provider. Google provides for this option.
https://developers.google.com/api-client-library/python/auth/installed-app
Unfortunately, many services do not implement OAuth2.
To use Oauth 1.0 with installed applications, instead of returning to a callback_url, the service provider displays the auth code to the user which the user can then copy and paste to the desktop application. Check out Trello Ouath integration which allows for this.
The Web Api flow that you are trying to achieve will not work in the case of desktop apps. The redirect uri 127.0.0.1:port is your local uri. The service provider will need, at the very least, your public ip to redirect the flow back to your system.
AFAIK, for a Desktop or a native app it is much better to implement the Oauth authorization code flow. The implicit grant is intended to be used on a device browser and not on a Web View.
If your app uses a Web Service to connect, your Web Service needs a redirect URL that uses https. Luckily most hosting platforms like Heroku provide this to you for free (otherwise you need to buy an SSL certificate which might be a lot of work).
On the authorization code flow, a token doesn't need to see the client, it is all stored in the backend.
Most services allow you to test on localhost with http.
I wrote a tutorial that could give you some guidance on the flow.

How do i secure a REST API with google authentication

I am trying to build a REST API with NodeJS and Passport, for a Single page javascript application, and i cannot figure out how to secure my REST API with Google OAuth, but i cannot figure out how to do it.
How would i do that?
At first You can use scopes to determine which client or user has which roles and grant accesses. Secondly you should communicate with your api on ssl protocol.

Categories