Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@firebase/auth
Advanced tools
The Firebase Authenticaton component of the Firebase JS SDK.
The @firebase/auth package is part of the Firebase JavaScript SDK, providing robust authentication functionality for web and mobile applications. It supports various authentication methods, including email and password, third-party providers like Google and Facebook, and more. This package helps in managing user authentication states, securing user data, and integrating with other Firebase services.
Email and Password Authentication
Allows users to sign up using their email and password. It also handles user sign-in and management of user sessions.
firebase.auth().createUserWithEmailAndPassword(email, password).then((userCredential) => { var user = userCredential.user; }).catch((error) => { var errorCode = error.code; var errorMessage = error.message; });
Social Auth Providers
Supports authentication with different social media providers such as Google, Facebook, Twitter, etc. This example uses Google for authentication.
var provider = new firebase.auth.GoogleAuthProvider(); firebase.auth().signInWithPopup(provider).then((result) => { var token = result.credential.accessToken; var user = result.user; }).catch((error) => { var errorCode = error.code; var errorMessage = error.message; });
Phone Number Authentication
Enables sign-in using a phone number with SMS verification. This method sends an SMS to the user's phone number with a verification code.
firebase.auth().signInWithPhoneNumber(phoneNumber, appVerifier).then((confirmationResult) => { var verificationCode = window.prompt('Please enter the verification code that was sent to your mobile device.'); return confirmationResult.confirm(verificationCode); }).catch((error) => { var errorCode = error.code; var errorMessage = error.message; });
Passport is an authentication middleware for Node.js. Unlike @firebase/auth which is tightly integrated with Firebase services, Passport works with any type of application and supports extensive authentication mechanisms through strategies.
Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. It provides a broader set of features compared to @firebase/auth, including advanced user management, multi-factor authentication, and extensive integration options.
This is the Firebase Authentication component of the Firebase JS SDK.
This package is not intended for direct usage, and should only be used via the officially supported firebase package.
The modular Auth SDK has both unit tests and integration tests, along with a host of npm scripts to run these tests. The most important commands are:
Command | Description |
---|---|
yarn test | This will run lint, unit tests, and integration tests against the live environment |
yarn test:<platform> | Runs all browser tests, unit and integration |
yarn test:<platform>:unit | Runs only <platform> unit tests |
yarn test:<platform>:unit:debug | Runs <platform> unit tests, auto-watching for file system changes |
yarn test:<platform>:integration | Runs only integration tests against the live environment |
yarn test:<platform>:integration:local | Runs all headless <platform> integration tests against the emulator (more below) |
yarn test:browser:integration:prodbackend | Runs TOTP MFA integration tests against the backend (more below) |
Where <platform> is "browser" or "node". There are also cordova tests, but they
are not broken into such granular details. Check out package.json
for more.
To test against the emulator, set up the Auth emulator
(instructions).
The easiest way to run these tests is to use the firebase emulators:exec
command
(documentation).
You can also manually start the emulator separately, and then point the tests
to it by setting the GCLOUD_PROJECT
and FIREBASE_AUTH_EMULATOR_HOST
environmental variables. In addition to the commands listed above, the below
commands also run various tests:
yarn test:integration:local
— Executes Node and browser emulator
integration tests, as well as the Selenium WebDriver tests
yarn test:webdriver
— Executes only the Selenium WebDriver
integration tests
Note - The webdriver tests require the Chrome webdriver to match the version of Chrome running locally.
In the CI environment, this is ensured using the environment variable here.
When running locally, change the chromedriver version in package.json to match your local Chrome version and run yarn install
.
For example, to run all integration and WebDriver tests against the emulator, you would simply execute the following command:
firebase emulators:exec --project foo-bar --only auth "yarn test:integration:local"
Currently, MFA TOTP and password policy tests only run against the production backend (since they are not supported on the emulator yet). Running against the backend also makes it a more reliable end-to-end test.
The TOTP tests require the following email/password combination to exist in the project, so if you are running this test against your test project, please create this user:
'totpuser-donotdelete@test.com', 'password'
You also need to verify this email address, in order to use MFA. This can be done with a curl command like this:
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -H "X-Goog-User-Project: ${PROJECT_ID}" -X POST https://identitytoolkit.googleapis.com/v1/accounts:sendOobCode -d '{
"email": "totpuser-donotdelete@test.com",
"requestType": "VERIFY_EMAIL",
"returnOobLink": true,
}'
The password policy tests require a tenant configured with a password policy that requires all options to exist in the project.
If you are running this test against your test project, please create the tenant and configure the policy with the following curl command:
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -H "X-Goog-User-Project: ${PROJECT_ID}" -X POST https://identitytoolkit.googleapis.com/v2/projects/${PROJECT_ID}/tenants -d '{
"displayName": "passpol-tenant",
"passwordPolicyConfig": {
"passwordPolicyEnforcementState": "ENFORCE",
"passwordPolicyVersions": [
{
"customStrengthOptions": {
"minPasswordLength": 8,
"maxPasswordLength": 24,
"containsLowercaseCharacter": true,
"containsUppercaseCharacter": true,
"containsNumericCharacter": true,
"containsNonAlphanumericCharacter": true
}
}
]
}
}'
Replace the tenant ID passpol-tenant-d7hha
in test/integration/flows/password_policy.test.ts with the ID for the newly created tenant. The tenant ID can be found at the end of the name
property in the response and is in the format passpol-tenant-xxxxx
.
These tests assume that you have both Firefox and Chrome installed on your
computer and in your $PATH
. The tests will error out if this is not the case.
The WebDriver tests talk to the emulator, but unlike the headless integration
tests, these run in a browser robot environment; the assertions themselves run
in Node. When you run these tests a small Express server will be started to
serve the static files the browser robot uses.
FAQs
The Firebase Authenticaton component of the Firebase JS SDK.
The npm package @firebase/auth receives a total of 985,971 weekly downloads. As such, @firebase/auth popularity was classified as popular.
We found that @firebase/auth demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.