Authentication and Authorization in Firebase

The importance of developing secure applications cannot be overstated these days. Users trust applications with their most sensitive data and expect it to be protected.

When building applications, app security should be a top priority. Developers must confirm users’ identities and ensure that users can only access data they’re allowed.

What is Firebase?

Firebase is a Google-backed Backend-as-a-Service (BaaS) solution that provides developers with a tool kit to build, improve, and grow their applications. Backend-as-a-Service solutions like Firebase eliminate the need for developers to build and manage various back-end services and focus solely on application development. These services include authentication, file storage, databases, hosting, testing, performance monitoring, analytics, and so on.

Authentication in Firebase

Authentication identifies and verifies users of an application. Firebase Authentication utilizes easy-to-use SDKs and ready-made UI libraries to authenticate users and create personalized experiences for users across all devices.

Under the hood, Firebase Authentication uses JSON Web Tokens (JWTs) to authenticate users. It supports authentication mechanisms like email/password and email/link combinations. It also allows phone number authentication and supports social logins with popular federated identity providers like Google and Github. In this tutorial, we will focus only on Google Authentication.

Firebase Authentication allows us to incorporate Google sign-in into our authentication workflow, allowing users to sign in with their Google accounts. To enable this on our application, we must first enable Google Authentication on the Firebase project console:

  • Head to the “Authentication” section on the Firebase console.

  • Click on the “Add New Provider” button on the “Sign-in providers” panel.

  • Select “Google” from the list of native providers shown.

  • Finally, enter a project support email in the popup displayed and hit “Save”.

Next, we must create separate instances for Firebase auth and the Google auth provider object to utilize this sign-in method in our application. Finally, we call the signInWithPopup function and pass in the Firebase auth instance as its first parameter and the Google auth provider instance as the second.

import { getAuth, signInWithPopup, GoogleAuthProvider } from "firebase/auth";
const auth = getAuth();
const provider = new GoogleAuthProvider();
signInWithPopup(auth, provider)
  .then((result) => {
    // do something
  }).catch((error) => {
   // handle error
  }
Authentication in Firebase

Once authenticated, we can listen for users’ authentication states in real time and also make requests to other Firebase services with users’ unique IDs.

Authorization in Firebase

Upon validating the identity of the user accessing resources on our application, it is also necessary to control what operations they can perform. Authorization is the process of specifying the users’ privileges and controlling what resources they access. Firebase secures and controls access to every backend service using security rules.

Firebase Security Rules stand between our data and users, ensuring that our application’s users can only read and write the data they’re allowed. Firebase Security Rules allow us to use an expression language to determine how an end user is allowed to access data in Firebase products. It works by matching a pattern against database or bucket paths and then applying custom conditions to allow read and write access to data at those paths.

Using Firebase Authentication, we can access users’ authentication information and write security rules based on this. For example, the rules below define read and write operations for a path, users/, where the uid subpath could be the unique identifier of any user on our application:

{
  "rules": {
    "users": {
      "$uid": {
        ".read": true,
        ".write": "$uid === auth.uid"
      }
    }
  }
}
Realtime Database Security Rules

In the above, we allow all read operations to the users/ path, but grant write access only to users whose uid matches the subpath value.

Conclusion

Authentication and authorization are essential components of any secure application. It is necessary to implement good authentication and authorization strategies to protect our application’s users and their data from attackers. Firebase provides mechanisms that protect all backend services, making sure that only users can see their own data. In this post, I briefly discussed Firebase Authentication, demonstrated an implementation of Google sign-in, and finally, we discussed securing our application’s data using Firebase Security Rules.

To learn more about authentication and authorization in Firebase, check out the Firebase course on Educative.

Free Resources

Attributions:
  1. undefined by undefined
License: Creative Commons-Attribution NonCommercial-ShareAlike 4.0 (CC-BY-NC-SA 4.0)