feat(examples/firebase-auth-firestore): use rest api for server auth#3362
feat(examples/firebase-auth-firestore): use rest api for server auth#3362kentcdodds merged 1 commit intoremix-run:mainfrom
Conversation
Use the Firebase REST API for authenticating server side. The client SDK is stateful. It _may_ not pose a security risk if it is _only_ used for authentication calls, but could lead to severe security issues if users were to also address other libraries such as Firestore through the client SDK. The Firebase Auth REST API gives us equivalent functionality. As far as I'm aware, there are rate limiting issues with both approaches, which I plan to address in a follow up PR. This was previously discussed at remix-run#1811 (comment)
MichaelDeBoey
force-pushed
the
firebase-rest-auth
branch
from
1bd90ea to
c311678
Compare
really don't want to do that. Is it possible to avoid this at all? Sounds like the rate-limiting doesn't impact this PR anyway, so I can probably merge as-is. I'm just really disappointed that Firebase seems to require that we do auth on the client. Is there really no way to avoid that? |
kentcdodds
left a comment
kentcdodds
left a comment
There was a problem hiding this comment.
Definitely an improvement over what we've got currently. Thank you!
@kentcdodds pretty sure I’d need someone from Firebase to give a definitive answer. I could try support.
I've already done the work but I have no problem with it being discarded if it's not wanted. Though it would be good to know your specific objections, as this would:
The only thing I can think of that is slightly ugly is we have to event.preventDefault() before the async function that does auth is called, so if there was a client side error after that then the fallback form post wouldn’t happen. edit: this is what I was proposing #3417 |
3 participants
Use the Firebase Auth REST API for authenticating server side, instead of the Firebase client SDK.
The Firebase Client Auth SDK is stateful. It seems to have been built for the purpose of using it within an application where only one user is logged in at a time (i.e. client applications). It may not pose a security risk if it is only used for authentication calls, but login state is persisted in the module and this could lead to security issues if other features such as
firebase/firestorewere used, as these would behave as the last user to log in.The Firebase Auth REST API gives us the same functionality with no external dependencies and control over state.
This is the API that the client SDK is calling, so it is unnecessary to include the client sdk to call a single endpoint.
As far as I'm aware, there are rate limiting issues with both approaches, which I plan to address in a follow up PR by calling the REST API client side and falling back to server side.
This was previously discussed at #1811 (comment)
Closes: discussion at #1811 (comment)
Testing Strategy: