Request for a feature to secure custom API endpoints. #450
Comments
|
Thanks for the issue. If you're looking to protect an endpoint, here's an example using the Authorization header and a Firebase token: You can create a reusable module to handle authorization across multiple endpoints. If you're specifically looking to use cookies for auth, there's an open issue to support the functionality: #223 Do these address your issue? If so, I'll close this. |
kmjennison
added
needs info/repro
|
|
1. Great!
2. Yes, this can be improved. We could add an example in the README and
maybe call it out near the top. Feel free to open an issue or PR.
3. That's handled under the hood by Firebase.
…On Fri, Mar 18, 2022, 6:07 PM Hung Vu ***@***.***> wrote:
Thanks for the issue.
If you're looking to protect an endpoint, here's an example using the
Authorization header and a Firebase token:
https://github.com/gladly-team/next-firebase-auth/blob/main/example/pages/api/example.js
You can create a reusable module to handle authorization across multiple
endpoints.
If you're specifically looking to use cookies for auth, there's an open
issue to support the functionality: #223
<#223>
Possibly related: #418
<#418>, #278
<#278>
Do these address your issue? If so, I'll close this.
1. Yes, that addresses my issue. I did miss the example.
2. Am I right to say the front page documentation is lacking in this
regard? It's mostly about securing pages, not endpoints. Although, If I
read the documentation more carefully, I may not have opened this issue.
3. Regarding verifyIdToken in the example, it seems token revocation
is not checked or is it done underneath? What I mean is a call using verifyIdToken(yourID,
true).
—
Reply to this email directly, view it on GitHub
<#450 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABNGLZLOUCWYI7DOGD7Q3SLVAT5AZANCNFSM5Q4WLFTQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
This discussion might derail from an original PR purpose, but please correct me if I'm wrong. I believe Firebase does not check for token revocation by default. An explicit option must be added. This is under the assumption that a user does not use any Firebase features (e.g. security rules) aside from authentication service. For example, a server is on another cloud provider. References |
|
Sorry, I wasn't very clear. Yes, you're right about that: we don't pass |
|
You're right, the short-lived ID Token will expire after an hour. A revoked token cannot be refreshed afterward. However, during that 1-hour timeframe, the application is vulnerable if a token is compromised. Or does // Securing an API
try {
await verifyIdToken(token) // Always true unless one hour has passed after the revocation.
} catch (e) {
return res.status(403).json({ error: 'Not authorized' })
} |
That's correct. Fixing this is out of scope for this library, but we could expose an option to allow developers to always check for token revocation. In that case, the library would pass I believe there are discussions elsewhere about how other apps deal with this in Firebase; for example, you might keep recently-revoked UIDs in memory for a quick lookup on your auth server. |
May I ask how to use that option? As far as I can see However. we have a refresh token (retrievable from |
|
@hunghvu My mistake, I missed typing word that changed this a lot. "we could expose an option" -- we don't have this option now but could consider adding it if developers need it. |
|
Sounds great. Thanks for answering all of my questions. From the discussion, the following may have their own issues.
I will close this issue. |
Is your feature request related to a problem? Please describe.
It appears the package does not provide server-side authentication for custom Next.js API endpoints. The current features only work for SSR pages with Firebase API call (e.g., Render page with populated information or redirect to Auth page), but there is nothing like a middleware, guard for custom endpoints.
A practical example is when users want to host applications on Google Cloud and use Google Identity Platform (IdP) for their organization authentication (for regulatory compliance purposes). Firebase/Admin SDK is required to interact with IdP, but users don't use any other Firebase functionalities. If there is an internal an endpoint
api/get-info/, only authenticated users are able to access it.Describe the solution you'd like and how you'd implement it
verifySessionCookieinternally, we need a unified cookie (Support one unified cookie with a custom name, such as__session, for Firebase hosting #190). The two current cookiesAuthUserandAuthUserTokensdo not work with that API. This can be done either by having an option to return a unified cookie, or perform a server-side processing to transform the two current cookies into one.InitConfig, have an option foronVerifySessionCookieError.verifySessionCookie.Is this a breaking change?
No.
Describe alternatives you've considered
If using Firebase Admin SDK directly, then this is achievable via a middleware with Firebase's
verifySessionCookie. However, the downside is users need to rebuild the whole authentication flow, which is not desirable.There is a chance my proposal is wrong in some ways, please feel free to correct the mistakes.
The text was updated successfully, but these errors were encountered: