Android Question FirebaseAuth - UserID and TokenID

[LucaMs]

I am a little bit confused.

1) two members said that the UserId sometimes... changes;
2) the TokenId was explicitly declared temporary by Erel:
https://www.b4x.com/android/forum/t...henticate-your-users.67875/page-2#post-435657
"... This method retrieves a temporary token id" (the method is GetUserTokenID)
but then Erel created jFirebaseServer library, with this comment:

"This means that the signed in user gets a token id (long string) from Firebase services by calling FirebaseAuth.GetUserTokenId. The client sends the token id to the server.
The server verifies the token using this library".

Which, for me, means: "save this TokenID somewhere on your server (users db) to verify user and app"; but... using a temporary token?

Finally, GetUserTokenId, given its name and the parameter it requires, a FirebaseUser object, I think it retrives a TokenId associated to that user, so I don't understand why we should be sure that was our app to send the request (login, for example).


Finally 2, the revenge : it's a little bit hard to create a "standard login", with GUI, allowing the user to choose between a "custom login" (Email, PW) and Google-Firebase login, because of:

events (SignedIn - which seems to be raised after Activity_Resume - and TokenAvailable);
you should check for an active internet connection (and the only way I found is valid is to download something from somewhere);
etc.

(perhaps this is not the right time to think about all this... 3:37 A.M. )

 

[LucaMs]

I forgot to mention also this, in my first post:

There are cases where the SignedIn event is raised multiple times. Your program will need to handle it.

This also helps me to... be more confused

(when your code is running, this event raises randomly "breaking" the flow?!?! - I hope it's clear what I mean... otherwise I will have to write it in Italian )

 

[Erel]

Which, for me, means: "save this TokenID somewhere on your server (users db) to verify user and app";

No. It is used together with FirebaseServer to verify the user. The B4J server gets the token from the client app and verifies it with firebase servers.
You are not expected to store this id.

 

[LucaMs]

It is used together with FirebaseServer to verify the user

But should not be enough the UID received to authenticate the user?

 

[Erel]

But should not be enough the UID received to authenticate the user?

Not really.

Two scenarios:

1. The mobile app sends the FirebaseUser.Uid with the email to your server. How does your server know that the uid and email are not fake?
2. The uid is a permanent value. If someone got access to a uid of a different user somehow then he can send authorize as the other user. The uid shouldn't be treated as a password.

The above issues are solved by the temporary token id. The client gets it from Firebase servers and your server verifies it with Firebase servers.

 

[LucaMs]

Well, if a user is able to get the uid he can get also the email, send them to firebase servers and get the token.

However now I understand better .


Thank you

 

[LucaMs]

However now I understand better

False


Maybe now, reading again.

The above issues are solved by the temporary token id. The client gets it from Firebase servers and your server verifies it with Firebase servers.

So should I use also the other library, FirebaseServer, to check the CURRENT TokenId? But then I need a b4j server.

Currently I am using only a classic web space with apache-php-mysql, although in the near future I will definitely use a b4j server.

The client itself could check the Firebase TokenID, or not? If it is a question of security, to prevent abuse, the client will sooner or later receive the authorization from my server and some hacker could in any case intervene at this point of the project.

In short, is there b4a code to perform the verification using the TokenId? I did not find it.


[BTW it is not clear, to me, the ForceRefresh parameter: is it to use if user disconnect and riconnects?]

 

[Erel]

You only need to use FirebaseServer if you want to authenticate the user on your remote server.

If everything is local then it is not relevant.

 

[LucaMs]

is local

Do you mean if there is not a "personal" server? Just a stand alone app? Or that is it ineffective, insecure to authenticate directly from the client?

Because I'm saying that I'm not using a my personal server (but Apache of some host) and if I could ask firebase servers to confirm directly from the client...!

However, if code b4a (or inline java) is not available, I think I will prepare the app so that it will then authenticate from my future server b4j.

 

[Erel]

and if I could ask firebase servers to confirm directly from the client.

This is exactly what you are doing with FirebaseAuth.

Lets say that you are now sending the user name and email address to your server to check his bitcoins status.
How does the server know that the message actually came from this user? Maybe someone hacked your app and hardcoded the email address of a different user.

If this case is not relevant for your solution then you don't need to use FirebaseServer. If it is then you should use it.