Skip to content

Firebase social login#17

Open
jgenc wants to merge 12 commits into
masterfrom
gsoc-2026/firebase-login
Open

Firebase social login#17
jgenc wants to merge 12 commits into
masterfrom
gsoc-2026/firebase-login

Conversation

@jgenc

@jgenc jgenc commented May 30, 2026

Copy link
Copy Markdown
Collaborator

Firebase social login

Summary

  • Add Firebase-based Google & GitHub social login and backend Firebase ID token verification.
  • Support linking existing local accounts to trusted social providers.
  • Add admin access revocation handling across backend, routes, and UI.
  • Update Docker/dev compose setup for frontend + backend local builds.
  • Pin production service images and update frontend Docker builds to Node 20 for Firebase compatibility.
  • Extend deploy workflow to generate Firebase backend/frontend environment variables.

Backend changes

  • Added Firebase token login endpoint and direct backend token verification.
  • Added account linking between verified Firebase users and existing local accounts by email.
  • Added provider tracking on users (local, google, github).
  • Added admin access revocation.
  • Restricted Firebase/social users from local DB deletion.
  • Added a lightweight startup schema migration for the new user auth fields.

Frontend changes

  • Added Firebase client setup for Google and GitHub login.
  • Added social login flow and Firebase-token exchange for backend JWTs.
  • Added provider collision/linking handling for same-email Firebase accounts.
  • Added explicit auth loading state to avoid early route redirects.
  • Updated admin users table with provider display and revoke/restore access action.
  • Hid delete action for Firebase/social users.

DB migration flow

  • New user columns are added on backend startup if missing:
    • firebase_uid nullable, for Firebase-linked/social users only
    • provider
    • access_revoked
  • Existing users default to local, active accounts.
  • firebase_uid stays nullable because local/password users do not have a Firebase identity.
  • Strong follow-up recommendation: add proper versioned migrations, e.g. Alembic, instead of relying on startup schema changes.

Deployment notes

This PR requires the following additional GitHub Actions secrets before deploying:

  • FIREBASE_API_KEY
  • FIREBASE_AUTH_DOMAIN
  • FIREBASE_PROJECT_ID
  • FIREBASE_STORAGE_BUCKET
  • FIREBASE_MESSAGING_SENDER_ID
  • FIREBASE_APP_ID

Regarding Firebase project:

  • New production app is needed for the secrets above
  • New GitHub OAuth app with correct details (App name, URL, description)

Validation

  • Verified docker-compose-dev.yml configuration is valid.
  • Verified production frontend Docker build with Node 20 succeeds.
  • Verified functionality locally using test firebase project
  • Confirmed the old committed Node 14 production image would fail with Firebase/env-cmd dependencies; fixed by updating frontend Dockerfiles to node:20-alpine.

Notes

  • Firebase project configuration must match the production Firebase app and enabled auth providers.
Additional implementation details

Backend functions added

  • migrate_schema()
  • get_firebase_project_id()
  • get_firebase_public_certs()
  • verify_firebase_id_token()
  • provider_allows_local_login()
  • build_firebase_username()
  • extract_firebase_provider()
  • provider_list() / provider_matches() / merge_provider() / merge_firebase_provider() / provider_is_local_only()
  • can_link_local_to_firebase_provider()
  • link_local_user_to_firebase_provider()
  • update_firebase_user_metadata()
  • get_or_create_firebase_user()
  • is_local_user()

Migration follow-up

Strongly recommended follow-up before relying on this in production long-term:

  • Add Alembic/versioned migrations. Alembic is already in back-end/requirements.txt, but the project does not currently have an initialized alembic/ migration setup.
  • Add a migration for users.firebase_uid, users.provider, and users.access_revoked.
  • Keep users.firebase_uid nullable, but add a unique nullable index so real Firebase identities cannot be duplicated.
  • Run migrations before restarting app containers during deploy.
  • Keep migrate_schema() only as a temporary safety net.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant