Android Question FirebaseAuth - UserID and TokenID

LucaMs

Expert
Licensed User
Longtime User
I am a little bit confused.

1) two members said that the UserId sometimes... changes;
2) the TokenId was explicitly declared temporary by Erel:
https://www.b4x.com/android/forum/t...henticate-your-users.67875/page-2#post-435657
"... This method retrieves a temporary token id" (the method is GetUserTokenID)
but then Erel created jFirebaseServer library, with this comment:

"This means that the signed in user gets a token id (long string) from Firebase services by calling FirebaseAuth.GetUserTokenId. The client sends the token id to the server.
The server verifies the token using this library".

Which, for me, means: "save this TokenID somewhere on your server (users db) to verify user and app"; but... using a temporary token?

Finally, GetUserTokenId, given its name and the parameter it requires, a FirebaseUser object, I think it retrives a TokenId associated to that user, so I don't understand why we should be sure that was our app to send the request (login, for example).


Finally 2, the revenge :): it's a little bit hard to create a "standard login", with GUI, allowing the user to choose between a "custom login" (Email, PW) and Google-Firebase login, because of:

events (SignedIn - which seems to be raised after Activity_Resume - and TokenAvailable);
you should check for an active internet connection (and the only way I found is valid is to download something from somewhere);
etc.

(perhaps this is not the right time to think about all this... 3:37 A.M. :D)
 
Last edited:

LucaMs

Expert
Licensed User
Longtime User
I forgot to mention also this, in my first post:
There are cases where the SignedIn event is raised multiple times. Your program will need to handle it.

This also helps me to... be more confused :p

(when your code is running, this event raises randomly "breaking" the flow?!?! - I hope it's clear what I mean... otherwise I will have to write it in Italian :D)
 
Upvote 0

Erel

B4X founder
Staff member
Licensed User
Longtime User
Which, for me, means: "save this TokenID somewhere on your server (users db) to verify user and app";
No. It is used together with FirebaseServer to verify the user. The B4J server gets the token from the client app and verifies it with firebase servers.
You are not expected to store this id.
 
Upvote 0

Erel

B4X founder
Staff member
Licensed User
Longtime User
But should not be enough the UID received to authenticate the user?
Not really.

Two scenarios:

1. The mobile app sends the FirebaseUser.Uid with the email to your server. How does your server know that the uid and email are not fake?
2. The uid is a permanent value. If someone got access to a uid of a different user somehow then he can send authorize as the other user. The uid shouldn't be treated as a password.

The above issues are solved by the temporary token id. The client gets it from Firebase servers and your server verifies it with Firebase servers.
 
Upvote 0

LucaMs

Expert
Licensed User
Longtime User
However now I understand better ;)
False :p


Maybe now, reading again.
The above issues are solved by the temporary token id. The client gets it from Firebase servers and your server verifies it with Firebase servers.
So should I use also the other library, FirebaseServer, to check the CURRENT TokenId? But then I need a b4j server.

Currently I am using only a classic web space with apache-php-mysql, although in the near future I will definitely use a b4j server.

The client itself could check the Firebase TokenID, or not? If it is a question of security, to prevent abuse, the client will sooner or later receive the authorization from my server and some hacker could in any case intervene at this point of the project.

In short, is there b4a code to perform the verification using the TokenId? I did not find it.


[BTW it is not clear, to me, the ForceRefresh parameter: is it to use if user disconnect and riconnects?]
 
Upvote 0

LucaMs

Expert
Licensed User
Longtime User
Do you mean if there is not a "personal" server? Just a stand alone app? Or that is it ineffective, insecure to authenticate directly from the client?

Because I'm saying that I'm not using a my personal server (but Apache of some host) and if I could ask firebase servers to confirm directly from the client...!

However, if code b4a (or inline java) is not available, I think I will prepare the app so that it will then authenticate from my future server b4j.
 
Upvote 0

Erel

B4X founder
Staff member
Licensed User
Longtime User
and if I could ask firebase servers to confirm directly from the client.
This is exactly what you are doing with FirebaseAuth.

Lets say that you are now sending the user name and email address to your server to check his bitcoins status.
How does the server know that the message actually came from this user? Maybe someone hacked your app and hardcoded the email address of a different user.

If this case is not relevant for your solution then you don't need to use FirebaseServer. If it is then you should use it.
 
Upvote 0
Top