Firebase Authentication — The secure way

Authentication is a very important feature of sensitive applications — web, mobile or desktop. Authentication often goes hand in hand with Authorization; whereas the former is used to VERIFY THE IDENTITY of a user of a platform, the latter is used to permit or reject ACCESS to resources based on the identity of the entity requesting the resource.

Firebase helps developers to easily and quickly implement authentication logic in their applications, giving them time and room to focus on other more platform-specific logic. Every productive developer should want to take this approach.

The default approach to using Firebase Authentication though has a security risk which can be mitigated. What is this default implementation approach and what is the risk associated with it? What can be done to mitigate this risk?

The default approach

AUTHENTICATION is implemented using the client SDKs for Android, iOS or Web client SDKs.

AUTHORIZATION is done on the server using the Firebase Admin SDK for Node.js, Python, Java or GO.

The security risk

The aim of authentication is to AFFIRMATIVELY VERIFY THE IDENTITY OF USERS. This aim can be easily defeated in client applications. Client applications can be easily modified; and when you entrust the entire AUTHENTICATION process to a client application, you expose your authentication logic to the world and it doesn’t require a lot of smarts to weaken the authentication layer by modifying the client application.

With Firebase, one need not modify the client application; just grab the keys and you’re good to go. And your server could be easily fooled into serving requests for and permitting resources to a user that was not properly authorized.

Mitigating the risk

Move core authentication logic to your server!

How can this be done?

This is actually an abstract for a talk I intend to give at GDG DevFest 2017 in Aba and Ibadan 😃 . I’ll update this repo with slides, guides and perhaps sample codes subsequently.

In the meantime, feel free to examine this library for implementing firebase authentication on a node js server environment.

Extras

Learn how to use Firebase REST to extend the power of Firebase Authentication to yet officially un-supported server-side languages like PHP and ASP.

Why I’m an authority on this topic

I’ve delved pretty deep into Firebase Authentication

• Contributor to Firebase Authentication for .NET SDK
• Wrote Server-side Firebase Authentication for Node.js SDK
• Currently building a Server-side Firebase Authentication for Java SDK with a friend and colleague (Sokari Gillis-Harry) as part of a project: nearbuy.ng

About me

I’m an avid learner, and a fervent teacher.

I call myself a

• #ChangeArchitect because I can’t stay somewhere without seeking to improve matters;
• #WideStack Developer because I spent the better part of my last 4–5 years gathering knowledge and experience on various programming languages, technologies, tools and stacks.
• No one who knows me debate those titles 😏

I build for

The web

• Front end with Bootsrap, jQuery and Angular
• Back end with PHP, ASP and Node js (Node js is my personal favorite)

Android

• Primary language — Java
• Primary IDE — Android Studio
• Also build with Xamarin and Android Studio
• A big fan of Kotlin but I don’t use it much yet

iOS

• With Swift and Xcode
• With Xamarin and Visual Studio

I’ve built apps for

• Blackberry 7.1
• Windows Phones

Disclaimer

Thoughts and opinions shared are solely mine. This article was inspired by a conversation with the fireman himself, Sokari Gillis-Harry on this topic. Supporting and/or contrary thoughts are most welcome.