简体繁体 English

如何在不在客户端上安装Firebase SDK的情况下使用Firebase Auth创建安全API

[英]How to create a secure API using Firebase Auth without installing Firebase SDK on the client

原文 2019-05-08 12:10:00 1 1 node.js/ rest/ firebase/ authentication/ firebase-authentication

I'm trying to create an API for our app using Express.js endpoints that connect to our Firebase Cloud Firestore database. 我正在尝试使用连接到Firebase Cloud Firestore数据库的Express.js端点为我们的应用创建API。 A main component of responding with the requested information securely is authentication, and we want to be able to make it as straight forward to the users as possible. 安全地响应所请求信息的主要组件是身份验证，并且我们希望能够尽可能地直接向用户提供。 For example, by them simply sending an API secret key on their requests. 例如，他们只需在其请求上发送API密钥即可。

My issue is that all of the authentication mechanisms that Firebase seem to provide require that the client is authenticated with the Firebase SDK, which would be uncomfortable for us to ask users to install. 我的问题是，Firebase似乎提供的所有身份验证机制都要求客户端使用Firebase SDK进行身份验证，这对我们要求用户安装会感到不舒服。

In short, is there any way that they can either create a firebase token without the SDK or for us to authenticate them securely with an API key on our end? 简而言之，有没有什么方法可以在没有SDK的情况下创建firebase令牌，或者我们可以使用我们的API密钥安全地对它们进行身份验证？ Note that the connection to our API would only be done through our user's back ends, never front end clients. 请注意，与API的连接只能通过用户的后端完成，而不是前端客户端。

Thanks! 谢谢！

1 个解决方案

See: 看到：

https://firebase.google.com/docs/auth/admin/create-custom-tokens https://firebase.google.com/docs/auth/admin/create-custom-tokens

Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). Firebase允许您使用安全的JSON Web令牌（JWT）对用户或设备进行身份验证，从而使您可以完全控制身份验证。 You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method. 您在服务器上生成这些令牌，将它们传递回客户端设备，然后使用它们通过signInWithCustomToken（）方法进行身份验证。

To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. 要实现此目的，您必须创建一个接受登录凭据的服务器端点，例如用户名和密码，如果凭据有效，则返回自定义JWT。 The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS, Android, web). 然后，客户端设备可以使用从您的服务器返回的自定义JWT来对Firebase（iOS，Android，Web）进行身份验证。 Once authenticated, this identity will be used when accessing other Firebase services, such as the Firebase Realtime Database and Cloud Storage. 经过身份验证后，将在访问其他Firebase服务时使用此身份，例如Firebase实时数据库和云存储。 Furthermore, the contents of the JWT will be available in the auth object in your Firebase Realtime Database Security Rules and the request.auth object in your Cloud Storage Security Rules. 此外，JWT的内容将在您的Firebase实时数据库安全规则中的auth对象和您的云存储安全规则中的request.auth对象中提供。

You can create a custom token with the Firebase Admin SDK, or you can use a third-party JWT library if your server is written in a language which Firebase does not natively support. 您可以使用Firebase Admin SDK创建自定义令牌，或者如果您的服务器使用Firebase本身不支持的语言编写，则可以使用第三方JWT库。