Authentication is critical for verifying the identity of your users in order to know what data they should have access to and what privileged actions they should be able to perform. The Firebase platform provides powerful libraries that let us easily integrate authentication into our projects.
In this article, we are going to implement authentication by building a RESTful API and a web app that allows a user to sign up with a secure note that will be accessible only to the user. We’ll be using Node.js and Express to build the API, and React.js to create the single-page web app.
The complete source code for the app is available here on GitHub.
What You’ll Need
Node.js installed
A Google account – to use Firebase
Basic knowledge of React.js and Node.js
A code editor – like Visual Studio Code
Setting up Firebase
Before we start coding, let’s head over to the Firebase console and create a new project, so that we can access Firebase services. I’m naming mine cb-auth-tutorial, but you can name yours whatever you like.
After giving it a name, you’ll be asked whether you want to enable Google Analytics. We won’t be using the service for this tutorial, but you can turn it on if you like.
After completing all the steps, you’ll be taken to the dashboard, where you can see an overview of your Firebase project. It should look something like this:
Let’s create a web app. Click this icon button to get started:
You’ll be asked to enter a nickname for the app. This can also be anything you like. I’m naming mine CB Auth Tutorial, for symmetry with the project name.
After registering the app, you’ll be provided with a configuration that you’ll need to initialize your app with to be able to access the various Firebase APIs and services.
From the dashboard sidebar, click on Build > Authentication, then click on Get started on the screen that shows to enable Firebase Authentication. You’ll be asked to add an initial sign-in method.
Click on Email/Password and turn on the switch to enable it.
Next, we’ll set up Firebase Firestore.
Click on Build > Firestore Database in the sidebar, then click the Create database button on the page that shows to enable Firestore.
You’ll be presented with a dialog that will take you through the steps to create the database.
We won’t be accessing Firestore from the client-side, so we can create the database in production mode. Firebase Admin ignores security rules when interacting with Firestore.
Next, we’ll need to generate a service account key, which is a JSON file containing information we’ll initialize our admin app with to be able to create the custom web tokens that we’ll send to the client. Follow these instructions in the Firebase Documentation to do this.
Let’s install the Firebase CLI tools with NPM. Run the following command in a terminal to do so:
npm i -g firebase-tools
Let’s create a new folder for the project. I’m naming mine auth-tutorial for symmetry with the Firebase project, but you can name it whatever you like.
Initialize Firebase in the project directory with the following command:
firebase init
We’ll be using Firebase Functions and Firebase Emulators, so select these when asked to choose the features you want to set up for the project directory.
The next prompt is for you to associate the project directory with a Firebase project. Select Use an existing projectand choose the project you created earlier.
We’ll be using plain JavaScript to write the functions, so choose that when asked about the language you want to use.
We’ll be using the Firebase Functions emulator to test our functions, so select it when asked to set up the emulators.
After you’ve initialized Firebase, your project directory structure should look like this:
Creating the REST API
We’ll need the following NPM packages to write our function:
express: Node.js web framework to speed up development.
cors: Express middleware to enable CORS (Cross-Origin Resource Sharing).
morgan: Logger middleware for Express.
is-email: For server-side email validation.
firebase: To authenticate users with the Firebase Web SDK.
Let’s install them all with one command:
npm i express cors morgan is-email firebase
Let’s write the handler function for the /register endpoint. Create a new folder named express in the functions directory, containing a sub-folder named routes, and create a new register.js file in routes with the following code:
If all validation is successful, the secure note of the new user will be saved in the Firestore database. Let’s create the function that will handle POST requests to the /login endpoint in a new login.js file, also saved in the routes directory.
Notice that the /login and /register route handlers don’t perform validation on the email or password sent in a request. This is because we’ll be creating custom Express middleware to do this instead. Create a new middleware sub-folder in the express folder, and create a new validate-email-and-password.js file in it, containing the following code:
Here we check that a password and a valid email are specified in the request body. If they are, the request is passed on to the next middleware. Otherwise, we end the request with an error.
Let’s create the endpoint that will allow the fetching of the secure note of a logged-in user. We’ll do this in a new get-user.js file saved in the routes folder.
We respond with an error if a user is not specified, or the user making the request for the data is not the owner.
req.token.uid is supplied by another middleware that verifies the token sent along when making an authenticated request to the API. Let’s create this middleware in a firebase-auth.js file located in the express/middleware folder.
We verify that the JSON web token sent is a valid token and assign it to the req.token property if so. Otherwise, we send a 401 error.
Now it’s time to integrate all these modules together in an Express app that will respond to any request made to the api cloud function. Replace the index.js file in the functions folder with the following code:
This file will be run to start Firebase Functions. We used the initializeApp() method from the firebase-admin module to initialize the Firebase Admin SDK with the service account key file you should have created earlier.
We also used the initalizeApp() method from the firebase/app module to initialize Firebase Web with a configuration stored in a firebase.config.js file. You were given this configuration earlier when you created the web app in the Firebase console.
functions/firebase.config.js
/**
Enter the configuration for your Firebase web app
module.exports = {
apiKey: ...,
authDomain: ...,
projectId: ...,
storageBucket: ...,
messagingSenderId: ...,
appId: ...,
measurementId: ...
}; */
We can now start Firebase Functions in the emulator, by running the following command in the project directory.
firebase emulators:start --only functions
Testing the API
We haven’t written client code yet but we can test our API with a tool like Postman, or we can use one of the methods described here in the Firebase documentation.
Here we’re test the /register endpoint with Postman:
Creating the Client App with React
Let’s write the client app that will interact with our RESTful API. Create a new React app with Create React App.
npx create-react-app client
We’ll be using the following NPM packages in the React app:
Material UI (@mui/material, @emotion/react, @emotion/styled): To style our client UI and make it attractive.
axios: To make HTTP requests to the API we’ve created.
react-router-dom: For single-page app routing.
react-hook-form: For easier React form validation.
firebase: The Firebase Web SDK library.
react-firebase-hooks: Provides a set of reusable React hooks for Firebase.
Test that the app is up and running by opening localhost:3000 in your browser. You’ll see the results of the standard React.js boilerplate in your client/src/App.js file. We’ll edit this file later.
The URL origin of the cloud functions running in an emulator is different from the one it has when running in a production environment. Let’s create a .env file to specify the different origins. The values you’ll need to specify will depend on the name you gave your Firebase project.
Let’s create a module that would be responsible for making the HTTP requests to our RESTful API using axios. Create this module in an api-service.js file.
Wrapping a route component in the RequireAuth component will ensure that only authenticated users will be able to view it. If not signed in, the user will be taken to the /signin route and then redirected back to the route that they trying to view after a successful sign-in.
The AuthProvider component allows its children to access important authentication-related data and methods using a React context and its provider. The useAuth() hook will provide the context values to the child components with the useContext() hook.
The signIn() and signUp() methods make requests to the API. If successful, a token will be received and passed the signInWithCustomToken() method from the firebase/auth module to authenticate the user in the browser.
Now it’s time to create the sign-up page. Users sign up with an email, a password, and a secure note. We’ll do this in a SignUp.jsx file in a new routes folder.
We use the Controller component from react-hook-form to register the Material UI TextField component with react-hook-form. We set validation rules with the Controllerrules prop to ensure that the user enters a valid email, a password, and a secure note.
react-hook-form ensures that the onSubmit() function is only called when all the validation rules have been satisfied. In this function, we register the user with the signUp() method from the useAuth() hook we created earlier. If successful, we take the user to the index route (/). Otherwise, we display the appropriate error message.
Let’s also create the sign-in page in a SignIn.jsx file in the same routes folder.
Unlike in the SignUp component, here we use the signIn() method from the useAuth() hook to sign the user in.
The HTTP errors we handle here are different from the ones we handle in SignUp. In SignUp, we display an error if the email the user attempted to sign up with has already been used. But here we display errors for a non-existent email or a wrong password.
Now let’s create the component that will be shown for our index route. Replace the contents of App.js with the following:
If the user hasn’t been authenticated, we let them know they’re not signed in and include the relevant links to do so.
If they’ve signed in, we make a request to the API to get the secure note and display it.
We used a dataState variable to keep track of the current state of the API request and display an appropriate view to the user based on this.
We set dataState to loading just before making the request to let the user know that their data is in the process of being retrieved.
If an error occurs in this process, we let them know by setting dataState to error:
Finally, let’s initialize Firebase and set up the routing logic in our index.js file.
client/src/index.js
import React from 'react';
import ReactDOM from 'react-dom/client';
import './index.css';
import App from './App';
import reportWebVitals from './reportWebVitals';
import {
BrowserRouter,
Route,
Routes,
} from 'react-router-dom';
import SignIn from './routes/SignIn';
import { AuthProvider } from './auth';
import { initializeApp } from 'firebase/app';
import firebaseConfig from './firebase.config';
import SignUp from './routes/SignUp';
initializeApp(firebaseConfig);
const root = ReactDOM.createRoot(
document.getElementById('root')
);
root.render(
<React.StrictMode>
<AuthProvider>
<BrowserRouter>
<Routes>
<Route path="/" element={<App />} />
<Route path="/signin" element={<SignIn />} />
<Route path="/signup" element={<SignUp />} />
</Routes>
</BrowserRouter>
</AuthProvider>
</React.StrictMode>
);
reportWebVitals();
There should be a firebase.config.js file in your src directory that contains the config you received when setting up the web app in the Firebase console. This is the same config we used to initialize the Web SDK in the Admin environment when we were writing the API.
client/src/firebase.config.js
/**
Enter the configuration for your Firebase web app
module.exports = {
apiKey: ...,
authDomain: ...,
projectId: ...,
storageBucket: ...,
messagingSenderId: ...,
appId: ...,
measurementId: ...
}; */
The app should be fully functional now!
Conclusion
In this article, we learned how to easily set up authentication in our web apps using Firebase. We created a RESTful API with Node.js and the Express framework to handle requests from a client app that we built using React.js and Material UI.