Credential system for Firebase Custom Auth System Using Cloud Functions

Question

Scenario:

I want to create an android app which uses username and password for authentication. I decided to use firebase custom auth for that purpose.

From my android app, I am calling a firebase cloud function to authenticate the user with the provided user credentials.

Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.

Source: https://firebase.google.com/docs/auth/admin/create-custom-tokens

I would like to make use of firebase firestore to store username and password and use it to create custom JWT for Firebase custom authentication in firebase cloud functions.

Question:

1. Should I store user credentials in firebase firestore and if yes, what is the secure way to do so. If no, how should I proceed further?

2. How to create JWT in firebase cloud functions if the credentials passed to the function match with the credentials in firestore.

Note:

I don't have a credential system or own a server.

Answer 1

If you've never created authentication systems before, I highly recommend finding an existing implementation of such an authentication system for your app. Using something that is made by folks that do this for a living, is much less likely to lead to future data leaks that would negatively affect the users of your app.

That said: if you're going to build your own system, you'll want to have a look at this example usename/auth provider in the functions-samples repo. It shows how to receive the data, how to call a backend system, and how to mint a custom token.

For some information on how to store username/password, see Best way to store password in database. Storing this information in Firestore is a common approach, and no better or worse than storing it in any other properly secured cloud-based database.