13

I'm implementing a node.js server using express.js for REST and Firebase for data storage.

I have read Using NodeJs with Firebase - Security, and it could be implemented in this manner, but in my case I need to send data to server and server must return a redirect address, so using firebase as communication channel is a bit complex.

I'm currently verifying clients identity at server by sending a Firebase auth token as query parameter and checking authorization with firebase auth() method.

dataRef.auth(CLIENT_TOKEN, function(error) {
  if(error) {
    console.log("Login Failed!", error);
  } else {
    console.log("Login Succeeded!");
  }
});

The problem is, that in server I also need firebase "admin" privileges. To achieve this, I need to authenticate again using firebase auth() using admin token. (generated by firebase-token-generator)

var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);
var token = tokenGenerator.createToken({some: "arbitrary", data: "here"});

I noticed that there is a limitation in auth() method:

Note that all references to a Firebase share the same authentication status. So if you call new Firebase( ) twice and call auth() on one of them, they will both be authenticated.

Is there a way to implement this without calling auth() twice?

Or are there better solutions to do this?

Community
  • 1
  • 1
Tola
  • 569
  • 7
  • 14
  • You can use the REST API to quickly check if someone has a valid token or not. There's a way to isolate two Firebase references from each other, but it's undocumented so I wouldn't recommend it. – Anant Sep 26 '13 at 19:28
  • Oh, you mean the firebase REST API! I'll check that one. But how about using https://github.com/hokaccha/node-jwt-simple to decode the token sent to the server and to check who is the owner? – Tola Oct 23 '13 at 11:51
  • 1
    Yes using a generic JWT library to decode the token will certainly work! – Anant Oct 23 '13 at 17:30

1 Answers1

13

Based on comments and after the implementation, it seems the best solution is to use generic JWT library, such as: https://github.com/hokaccha/node-jwt-simple

With the help of library, you can decode the token with the firebase secret:

// decode
var decoded = jwt.decode(token, secret);
console.log(decoded); //=> {"v":0,"iat":1359943067,"d":{"id":"user@fb,com"}}

Decoded token contains iat (issued at) and may contain exp (expires). If exp is not provided, the default expiration time for firebase token is 24hours. You need to check if the token has been expired.

More details at: https://www.firebase.com/docs/security/custom-login.html

Tola
  • 569
  • 7
  • 14