We have multiple custom requirements that essentially require us to use our own server and email api’s for user authentication.
We are trying to re-create paswordless authentication flow and think we got it going. But I wanted to verify if below is accurate and in particular, if this is secure way of doing this.
- Keeping email authentication disabled in firebase
- Sending user’s email from app client to custom server
- Using firebase admin sdk with
createCustomToken, where uid is user’s email - Sending an email to the user with a link to app, where custom token is attached (we handle rate limitting)
- Verifying this custom token within the app using
signInWithCustomToken
Am I missing anything here, in particular any security caveats I need to be aware of?
2
Answers
That approach sounds correct.
The only security concern is usually around step 4, since that goes through unsecured channels and this is susceptible to man-in-the-middle attacks. In practice it’s not usually a problem, but remains something to be aware of.
That approach sounds correct, and matches with the Firebase documentation on signing in with a custom token.
The only security concern is usually around step 4, since that goes through unsecured channels and this is susceptible to man-in-the-middle attacks. In practice it’s not usually a problem, but remains something to be aware of.