markbarton markbarton - 2 months ago 12
Node.js Question

Using NodeJs with Firebase - Security

Due to the need to do some server side code - mainly sending emails I have decided to use Nodejs & Express for the server side element along with Firebase to hold the data - Partly from a learning experience.

My question is whats the best approach with regards to using the client side Firebase library and the Nodejs library when doing authentication using the Simple Email & Password API. If I do the authentication client side and then subsequently call a different route on the NodeJS side will the authentication for that user be carried across in the request. What would be the approach to test the user is authenticated within Node.

One approach I assume is to get the current users username & password from firebase and then post these to NodeJS and then use the firebase security API on the server to test.


Essentially the problem here is you need to securely convey to your NodeJS server who the client is authenticated as to Firebase. There are several ways you could go about this, but the easiest is probably to have all of your client<->NodeJS communication go through Firebase itself.

So instead of having the client hit a REST endpoint served by your NodeJS server, have the client write to a Firebase location that your NodeJS server is monitoring. Then you can use Firebase Security Rules to validate the data written by the client and your server can trust it.

For example, if you wanted to make it so users could send arbitrary emails through your app (with your NodeJS server taking care of actually sending the emails), you could have a /emails_to_send location with rules something like this:

  "rules": {
    "emails_to_send": {
      "$id": {
        ".write": "!data.exists() && newData.child('from').val() ==",
        ".validate": "newData.hasChildren(['from', 'to', 'subject', 'body'])"

Then in the client you can do:

  from: '', 
  to: '', 
  subject: 'hi', 
  body: 'Hey, how\'s it going?'

And in your NodeJS code you could call .auth() with your Firebase Secret (so you can read and write everything) and then do:

ref.child('emails_to_send').on('child_added', function(emailSnap) {
  var email = emailSnap.val();
  sendEmailHelper(email.from,, email.subject, email.body);

  // Remove it now that we've processed it.

This is going to be the easiest as well as the most correct solution. For example, if the user logs out via Firebase, they'll no longer be able to write to Firebase so they'll no longer be able to make your NodeJS server send emails, which is most likely the behavior you'd want. It also means if your server is temporarily down, when you start it back up, it'll "catch up" sending emails and everything will continue to work.