“Copy this file to your authentication server” - Firebase Custom auth

Question

My goal is to prevent users of multiple login in. I do not want this to be client-side, with like the onDisconnect and onConnect values, but with a server check. I came across t

Answer 1

Implementing custom authentication requires that you have a secure place to mint the custom token that identifies each of your users. You cannot do this securely with only client-side code, because that would mean everyone could claim to be whoever they want.

While you can use Cloud Functions for Firebase to implement a secure back-end without spinning up your own server, I highly recommend against doing that just for the purpose of preventing a user to sign in from multiple locations.

It's important when talking about security to split these two steps:

1. Authentication - a user proving to be who they are
2. Authorization - the authenticated user being able to use your app

There very seldom is a reason to keep a user from proving who they are. Your concern seems to fall onto keeping them from using the app from multiple locations. To do that, it's probably easier to track for each user where they are using the app from already using Firebase Database's presence system.

Also see:

• How to handle multiple connections of the same user on Firebase?
• Android - How to detect same user from multiple devices?
• How to prevent same user logging in from different devices ? My app is paid , so I dont want credentials to be shared