The website I'm working on uses Firebase authentication and different users who have different permissions on which pages they can visit.
The login method is similar to the message:
- User login with two parameters - "id" and "email"
- The server uses them to create a custom "uid", then uses the Firebase Admin SDK to create a custom token that is sent back to the client.
- The client logs in with the Javascript Firebase SDK - firebase.auth (). signInWithCustomToken ()
- Now, when the user logs in, they can select different pages - for example, '/ foo', '/ bar'
The problem that I am facing is that when they visit new pages, I try to transfer the token from the client back to the server (almost identical to how it is done in the Firebase Doc ), check the token and check if it has permission to view a web page.
I am trying to find the best (and most secure) way to do this. I considered the following option:
- Build the url with the token, but I heard that this is not a good practice, because the token becomes open, and capturing the session becomes much easier.
I am trying to pass a token in the request header, but, in my opinion, you cannot add headers when the user clicks a link to another page (or redirects it to javascript). The same problem applies to using POST.
What can I do to safely transfer this information to the server and check permissions when the user clicks a link to another page?
authentication firebase firebase-authentication
wolverine239
source share