Reputation: 4162
Firebase Custom Authentication: Security of Firebase Secret in JavaScript
I would like to use Firebase Custom Authentication in my Angular app. This action is realy simple:
var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator("<YOUR_FIREBASE_SECRET>");
var token = tokenGenerator.createToken({ uid: "uniqueId1", some: "arbitrary", data: "here" });
But there is a warning about security of Firebase Secret in the doc page:
Firebase JWTs should always be generated on a trusted server so that the Firebase app secret which is needed to generate them can be kept private.
I am wondering how can I keep my Firebase Secret private if everyone can view my JavaScript source code and read the Firebase Secret there? Am I missing something or there is no possibility to do this in JavaScript?
Upvotes: 0
Views: 430
Answers (1)
Reputation: 5711
The code you quote is to be run on the your nodejs server (hence - server-side javascript).
The server component FirebaseTokenGenerator takes care for generating the token and sending it back to the JS client, after the client has authenticated to your server, with whatever method you want. That's why it's named custom authentication.
Upvotes: 1
Related Questions
- Handling Firebase ID tokens on the client side with vanilla JavaScript
- Handling Firebase auth authentication
- Protect Firebase Secret in javascript
- How secure is firebase with auth?
- Using Firebase authentication correctly?
- Firebase Web Authentication - what about server side?
- Firebase custom token authentication (firebase version 3)
- Securing password client side Firebase
- Firebase JWT Authentication
- Firebase JS Secure Authentication