I want some help with the database implementation in my project.
The final implementation:
Website:
I want to make a (flask) website where the user can create or delete an account.
Desktop application:
I also want to make a (PyQt) python application that the user can log in to his/her account via a login prompt.
Database:
I want to make a (firebase) database so the users can authenticate. The database will also collect some user information except the authentication credentials.
The implementation until now:
Firebase:
I created a “web app” in firebase so I communicate with firebase via firebaseConfig
Flask website:
I created a flask website that communicates with the firebase via the firebaseConfig. The user fills in a form, and the firebase authentication creates a user via (create_user_with_email_and_password). The database, also, collects some extra user information.
(I think that my code is “safe” as it is server-side)
The problem:
Python application:
I created a python application that the user can log in to the firebase authentication. The problem I faced is that I “have to” include the firebaseConfig in my python code. With the firebaseConfig I can create and delete users, but I don’t want the other users to have the ability to do this.
(so I think my code is unsafe because the communication with the firebase is client-side so someone may decompile the code and get the firebaseConfig).
What is the best way to make my project safer?
It sounds like you're using the Firebase Admin SDK for Python, which (like all Admin SDKs) runs with elevated privileges and should only be used in trusted environments (such as your development machine, a server that you control, or Cloud Functions/Cloud Run).
There is no Firebase-provided SDK for use in Python applications that you ship to regular users of your app. That means that your options are limited to either using the REST API to sign in with Firebase, or to use a 3rd party library, such as Pyrebase (be sure to not use a service account there, as that'd make it run with the same elevated privileges as the Admin SDK).
Related
How to authenticate users using only external system logins on the superset.
like this.
Is this possible?
I've never used Python at all, but I need to customize a superset.
The external login system is an oauth 2.0 based authentication system.
I want to authenticate using a token stored in local storage or using a login page provided by the authentication system of an external login system.
Is this possible?
If user authentication is not possible with an external authentication system alone, please explain how to use Superset's user authentication and external authentication system together.
You can begin with the official documentation on superset, although you'll probably have to tinker further to get it working:
https://superset.apache.org/docs/installation/configuring-superset#custom-oauth2-configuration
I made a CLI application in Python which uses Google Dialogflow.
As the documentation provides, I created a Service Account and downloaded the JSON file. Then I loaded it in Python and the application works.
Now I want to publish my software on GitHub and pip but when I load all the files I receive an e-mail from Google that states that I am not managing correctly my credentials. And I agree with that.
The problem is that I do not understand how to manage properly those credentials.
There is 2 solutions:
Either anyone can access to your backend, and you don't need a service account, because it's pubilc
Or, it's private and you don't publish your key (if the secret is known of everyone, the security is useless, make it public!). It's a requirement of the deployment to not commit publicly but to document and to explain how to configure the correct service account to use your app.
Provide more on your context and want you want to achieve to have better pieces of advice. What do you want to protect? Where will you deploy your app? ...
I am trying to understand what Azure flow I should use for building a python based command line interface application. I simply want to be able to have a CLI where I can authenticate the application user without the whole complication of opening web browsers to perform the authentication. In addition, the desire by my company is to not user username/password authentication. How do I pick up an authentication token where the user of the application can be identified such that I can use that token within my application to pull other information about the user from the Graph API without the user having to open browsers to enter their credentials?
For your scenario, it is recommended to use device code flow which helps you to easily easily develop command-line tools that run on even Linux or Mac. This flow is also used for applications without a browser.
Please find an Python Sample for device code flow.
Just have a small doubt, I am building a small application in python which will use firebase database and storage, I am reading too much about firebase admin sdk, What is the basic difference between normal firebase services and firebase admin sdk or is it one and the same, also if i am starting development now is using firebase admin sdk recommended...?
Also i will integrate the database and storage to my android application.
I'll add on to what Doug said in his answer, I suspect you might be confusing the front-end Firebase packages with back-end admin packages.
If you are going to have the client interact with Firebase, you'll need to use front-end packages. Depending on the platform your front-end is being presented on (Web, iOS, Android, etc...) there are different options to suit your platform... web=JavaScript SDK... ios=ios SDK... etc...
The Admin SDKs allow you to add back-end functionality. Because there are so many different languages that can be used on the back-end, there are many flavors of the Admin SDK.
This release-notes page does a good job demonstrating the many "Firebase" packages available... both front-end and back-end.
If you're writing code with python and you want to access Firebase and Cloud serivces, the recommended option is to use the admin SDK. It's designed to be the easiest way to read and write data in your database, upload and download files to your Cloud Storage buckets, and perform other administrative functions, such as authenticated user management.
I'm not sure what you mean by "normal Firebase services".
Python Firebase admin SDK: If you use Firebase Admin SDK then you can have admin access to things without worrying about restrictions and rules on your database.
Python Firebase: If you use python firebase (normal firebase) then you need to authenticate each time you access your data (Means you can set rules and permissions for your document)
When I go to appengine.google.com/a/mydomain.com i am able to login and
see all my apps and administer them.
However, when I try to use the remote_api the same username/password does not work.
I'm using the interactive console code from http://code.google.com/appengine/articles/remote_api.html
This is a known issue with Google Accounts authentication. If you created an app and set it to use Google Accounts for authentication, and you yourself use a Google Apps account, you will not be able to authenticate against your app as an administrator using that account, even if you've created a Google Account for that email address. The workaround for now is to create a gmail account and add it as an administrator of your app, using that whenever you need to authenticate against your app as an administrator. You can still use your existing account for deployments and to log in to the admin console.
It's a pain, I know - I run into it every day myself.
I've come across the same issue while developing for GAE on google apps. To make it work, I've created a simple wrapper around a snippet provided by Nick (blog.notdot.net - I can't seem to find the proper reference right now) that has been working for me. You can find it here.