Skip to content

An expression of thoughts on the secure way to implement Firebase Authentication logic in modern applications. Thoughts and opinions are solely mine. Contrary views are most welcome.

Notifications You must be signed in to change notification settings

itswisdomagain/firebase-auth-secure-way

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 

Repository files navigation

Firebase Authentication - The secure way

Authentication is a very important feature of sensitive applications - web, mobile or desktop. Authentication often goes hand in hand with Authorization; whereas the former is used to VERIFY THE IDENTITY of a user of a platform, the latter is used to permit or reject ACCESS to resources based on the identity of the entity requesting the resource.

Firebase helps developers to easily and quickly implement authentication features logic in their applications, giving them time and room to focus on other more platform-specific logic. Every productive developer should want to take this approach.

The default approach to using Firebase Authentication though has a security risk which can be mitigated. What is this default implementation approach and what is the risk associated with it? What can be done to mitigate this risk? That's the body of this talk.

The default approach.

AUTHENTICATION is implemented using the client SDKs for Android, iOS or Web client SDKs. Perform AUTHORIZATION on your server using the Firebase Admin SDK for Node.js, Python, Java or GO.

The security risk

The aim of authentication is to AFFIRMATIVELY VERIFY THE IDENTITY OF USERS. This aim can easily be defeated in client applications. Client applications can be easily modified; and when you entrust the entire AUTHENTICATION process to a client application, you expose your authentication logic to the world and it doesn't require a lot of smarts to weaken the authentication layer by modifying the client application. With Firebase, you may not even need to modify the client application; just grab the keys and you're good to go. And your server could be easily fooled into serving requests for and permitting resources to a user that was not properly authorised.

Mitigating the risk

Move core authentication logic to your server!

How can this be done?

This is actually an abstract for a talk I intend to give at GDG DevFest 2017 in Aba and Ibadan 😃 . I'll update this repo with slides, guides and perhaps sample codes subsequently.

Extras

Learn how to use the core principles highlighted in this talk to extend the power of Firebase Authentication to yet officially un-supported server-side languages like PHP and ASP.

Why I'm an authority on this topic

I've delved pretty deep into Firebase Authentication

About me

I'm an avid learner, and a fervent teacher.

I call myself a

  • #ChangeArchitect because I can't stay somewhere without seeking to improve matters;
  • #WideStack Developer because I spent the better part of my last 4-5 years gathering knowledge and experience on various programming languages, technologies, tools and stacks.
  • No one who knows me debate those titles 😏

I build for

  • The web
    • Front end with Bootsrap, jQuery and Angular
    • Back end with PHP, ASP and Node js (Node js is my personal favorite)
  • Android
    • Primary language - Java
    • Primary IDE - Android Studio
    • Also build with Xamarin and Android Studio
    • A big fan of Kotlin but I don't use it much yet
  • iOS
    • With Swift and Xcode
    • With Xamarin and Visual Studio

I've built apps for

  • Blackberry 7.1
  • Windows Phones

About

An expression of thoughts on the secure way to implement Firebase Authentication logic in modern applications. Thoughts and opinions are solely mine. Contrary views are most welcome.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published