I have server in php with custom user authentication. I'm trying to create chat with Firebase, and after reading docs I'm still confused id I need to authenticate my users for Firebase, and if so should I do it with signInWithCustomToken?
Any other tips on how should I proceed are welcome. Thank you.
There is no need to authenticate users for them to receive FCM messages.
You do need to pass the FCM Server key to send messages to devices however. You can see an example of that in the Authorization header here: https://firebase.google.com/docs/cloud-messaging/send-message
Related
I have a NextJS web app and I'm adding firebase authentication to it.
I want to make secure GET calls to my server, and was wondering what is the token I should use with the server and where to set it?
Should I use the firebase user's AccessToken?
And should I send it in the URL query parameter (or header)? Aren't both alternatives exposed to whomever sees the URL and they can impersonate the user?
Thank you in advance for the help.
Are you talking about your API keys? if you are they are supposed to be visible, you need to write Security Rules which are pretty simple to use.
Read more here: Learn about using and managing API keys for Firebase
If you want your own server-side code to use the caller's Firebase Authentication credentials to ensure they are authorized for the operation they are trying to perform, you should:
Pass the users ID token from the client to your server over a secure connection. This is typically done in the Authorization header of the HTTP request.
On the server decode the ID token, and then check your own authorization logic to see if the call is allowed.
The entire process is quite well described in the Firebase documentation on verifying ID tokens, so I recommend checking that out too.
Firebase admin is only available for admin or users also to send notification to other users?
Actually i am little bit confused in send notification from one user to another and which data is used like on the basis of user receiver uid or receiver fcm token.
firebaser here
Calls to the FCM API to send messages require that you specify the FCM server key in your code. As its name implies, this key should only be used in server-side code, or in an otherwise trusted environment. The reason for this is that anyone who has the FCM server key can send whatever message they want to all of your users.
So sending messages to users is indeed only possible from a trusted environment, either through the Admin SDK, or the REST APIs. See How to send one to one message using Firebase Messaging for more.
I was wondering, how can I authenticate requests to FireBase?
I have created new firebase account, marked Enable Email & Password Authentication, created a user with e-mail/password and using { ".read": "auth != null" } in security rules for read access.
Using PostMan plugin for chrome, selected basic auth, entered e-mail/password, GET to https://crackling-fire-NNNN.firebaseio.com/key.json but I always get { "error": "Permission denied" }. It is working if I remove security rules.
HTTPS Basic Auth is not allowed in FireBase?
Can anyone provide some simples examples in pure HTTP how to authenticate GET/PUT/DELETE requests?
Thanks!
I am posting this answer only to help other users to understand how FireBase works.
What I needed was to create an application that allows user (with password) to access his data stored on some server using REST. I thought that I could use FireBase to do that.
But. I have investigated a little bit and find out that FireBase uses JSON Web Tokens (JWT) to authenticate users. Token generation should be done on (other) server side, because it uses FireBase secret. So, apparently you can't send username&password to FireBase. FireBase SDK to be used by another server, and not client. Please feel free to correct me if I am wrong.
Firebase authentication when using the REST API requires an auth token to be passed.
See:
https://www.firebase.com/docs/rest/api/#section-query-parameters
https://www.firebase.com/docs/rest/guide/user-auth.html#section-rest-server-authentication
https://www.firebase.com/docs/rest/guide/user-auth.html
If I understand you question, you would like to use firebase purely with REST services, including authentication. For what I understand, if you want to do that you will need a server that generates a token that then you can append to the querystring. So if what you want is a serverless app that uses REST services, including logging in, the answer is you cannot. Correct me If I'm wrong
I'm following YouTube's API V3 guide to uploading a video using Oauth2:
https://developers.google.com/youtube/v3/guides/uploading_a_video
However, it's not clear to me how to upload to a specific user's channel. The guide allows for a place to specify client id, client secret id, and I have both.
I also have both an access and refresh token to that authorizes uploads to a specific channel, but I don't see where I include my access token.
Please shed some light ;)
Thanks in advance!
The YouTube API Documentation lists two ways that you can send the Access Token:
The API supports the OAuth 2.0 authentication protocol. You can
provide an OAuth 2.0 token in either of the following ways:
Use the access_token query parameter like this: ?access_token=oauth2-token
Use the HTTP Authorization header like this: Authorization: Bearer oauth2-token
Complete instructions for implementing OAuth 2.0 authentication in
your application can be found in the the authentication guide.
I asked myself the same thing earlier this month, and the answer I found is that you don't need to add the channel in your request.
Indeed, when you ask OAuth2 credentials, you are prompted to select a channel, and this channel is linked to the credentials you obtain. Therefore when you upload your video, the channel will be determined by the access token you are using.
Therefore, if you wanted to use a different channel, you would need to get credentials for that other channel, but there is no option to specify it as parameter. If ever you need to switch between channels, this article is very interesting.
I hope this will light your way ;-)
I have developed a simple API to allow communication between my Android/iPhone apps and my server. In my application, users need to authenticate themselves and they do it using login/password credentials with the following API call:
http://api.myapp.com/login?user=xxx&pass=pass
Application receives in return:
{ "api_token": "xxxx-xxxx-xxxx-xxxx" }
So basically I exchange my credentials against api_token.
I would like to add Facebook connect support. I have successfully used the Facebook SDK and receives the correct access_token.
However, I need to implement a mechanism to exchange access_token with api_token
Assuming the user has already connected his account with Facebook (on his web user panel), what would be the best implementation to proceed to the exchange?
Here is how I finally did it. It's working very well for more than one year, never had any problem. The idea is to exchange tokens using the following API call:
http://api.myapp.com/login/facebook?access_token=<facebook_access_token>
Server side, you verify validity of the access_token with a simple
wget -qO- https://graph.facebook.com/me?access_token=<facebook_access_token>
Which sends you back a JSON with all user information, including user's Facebook ID. Assuming the user has already connected his account to Facebook, you can lookup the user_id and send back an api_token.
http://developers.facebook.com/docs/authentication/
The best implementation will naturally depend upon your current platform. There are several Ruby on Rails gems, for example, that handle to whole Open Authentication bit for you.