Firebase for Flask
Project description
Flask Firebase Admin
Add Firebase (a Firebase Admin app) to a Flask application.
Installation
pip install flask-firebase-admin
Quickstart
In the simplest case, let's protect a route, specifically, we'll require a user to provide a firebase jwt to one of our routes:
from flask import Flask, request
from flask_firebase_admin import FirebaseAdmin
app = Flask(__name__)
firebase = FirebaseAdmin(app) # uses GOOGLE_APPLICATION_CREDENTIALS
@app.route("/unprotected")
def unprotected():
return {"message": "Hello anonymous user!"}
@app.route("/protected")
@firebase.jwt_required # This route now requires authorization via firebase jwt
def protected():
# By default JWT payload is stored under request.jwt_payload
return {"message": f"Hello {request.jwt_payload['email']}!"}
if __name__ == "__main__":
app.run(debug=True)
Assuming the code above is located in a module named app.py
, start the Flask application:
GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_account.json" python app.py
And in a separate terminal window, ping the unprotected route:
$ curl http://127.0.0.1:5000/unprotected
{
"message": "Hello anonymous user!"
}
Looks good. Now the protected route:
$ curl http://127.0.0.1:5000/protected
{
"error": {
"message": "No credentials provided"
}
}
OK, makes sense. Now with some credentials:
$ TOKEN="your-firebase-token ..."
$ curl -H "Authorization: Bearer ${TOKEN}" http://127.0.0.1:5000/protected
{
"message": "Hello <your@email.com>!"
}
Excellent. We now have a application with routes (one route) which require the user to provide their Firebase JWT to access!
Internally the jwt_required
method provided by the FirebaseAdmin
object calls the firebase_admin.auth.verify_id_token
function which returns a dictionary of key-value pairs parsed from the decoded JWT. This dictionary is accessible via the request
object provided by flask, specifically, this information is attached to the request.jwt_payload
attribute by default.
Configuration
The FirebaseAdmin
object can be configured in the following ways:
-
FIREBASE_ADMIN_CREDENTIAL
Defaults to
None
. This is the credential passed to the call tofirebase_admin.initialize_app
. When this parameter is None the Firebase Admin application tries to initialize usingGOOGLE_APPLICATION_CREDENTIALS
. If initializing the Firebase Admin app with theGOOGLE_APPLICATION_CREDENTIALS
environment variable is undesirebale, credentials can be created manually, for example:app = Flask(__name__) app.config["FIREBASE_ADMIN_CREDENTIAL"] = credentials.Certificate("/path/to/key.json") firebase = FirebaseAdmin(app) # no longer uses GOOGLE_APPLICATION_CREDENTIALS
Or perhaps something like:
app = Flask(__name__) cert = { "type": "service_account", "project_id": os.getenv("PROJECT_ID"), "private_key_id": os.getenv("PRIVATE_KEY_ID"), "private_key": os.getenv("PRIVATE_KEY"), "client_email": os.getenv("CLIENT_EMAIL"), "client_id": os.getenv("CLIENT_ID"), "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": os.getenv("CLIENT_X509_CERT_URL"), } app.config["FIREBASE_ADMIN_CREDENTIAL"] = credentials.Certificate(cert) firebase = FirebaseAdmin(app) # no longer uses GOOGLE_APPLICATION_CREDENTIALS
-
FIREBASE_ADMIN_AUTHORIZATION_SCHEME
Defaults to
'Bearer'
. This is the authorization scheme expected by theFirebaseAdmin
object. Changing this parameter changes the format of the auth header that is required by the client. For example, if we set this to'JWT'
we would then need to include an authorization header of the form:Authorization: JWT <token>
when making requests to protected routes. -
FIREBASE_ADMIN_CHECK_REVOKED
Defaults to
True
. This parameter is passed as thecheck_revoked
argument in the call tofirebase_admin.auth.verify_id_token()
. -
FIREBASE_ADMIN_PAYLOAD_ATTR
Defaults to
'jwt_payload'
. This is attribute on the flaskrequest
object from which we can access the JWT payload data. If we were to change this to, say,'jwt'
we would then access the JWT payload usingrequest.jwt
An example using the available configuration:
from flask import Flask, request
from firebase_admin import credentials
from flask_firebase_admin import FirebaseAdmin
app = Flask(__name__)
app.config["FIREBASE_ADMIN_CREDENTIAL"] = credentials.Certificate("/path/to/key.json")
app.config["FIREBASE_ADMIN_AUTHORIZATION_SCHEME"] = "JWT"
app.config["FIREBASE_ADMIN_CHECK_REVOKED"] = False # don't check for revoked tokens
app.config["FIREBASE_ADMIN_PAYLOAD_ATTR"] = "firebase_jwt"
# initialized with credentials defined above, not GOOGLE_APPLICATION_CREDENTIALS
firebase = FirebaseAdmin(app)
@app.route("/unprotected")
def unprotected():
return {"message": "Hello anonymous user!"}
@app.route("/protected")
@firebase.jwt_required # This route now requires authorization via firebase jwt
def protected():
# we now access the JWT payload using request.firebase_jwt
return {"message": f"Hello {request.firebase_jwt['email']}!"}
if __name__ == "__main__":
app.run(debug=True)
To call the /protected
route we have to update our auth header that we sent originally:
$ TOKEN="your-firebase-token ..."
$ curl -H "Authorization: JWT ${TOKEN}" http://127.0.0.1:5000/protected
{
"message": "Hello <your@email.com>!"
}
Extras
For convenience, the modules in the firebase_admin
package are aliased as class-level attributes on the FirebaseAdmin
object. For example:
from flask import Flask
from flask_firebase_admin import FirebaseAdmin
app = Flask(__name__)
firebase = FirebaseAdmin(app)
db = firebase.firestore.client() # <-- connect firestore client
@app.route("/unprotected")
def unprotected():
return {"message": "Hello anonymous user!"}
@app.route("/protected")
@firebase.jwt_required
def protected():
# do stuff in firestore using the db object defined above.
...
if __name__ == "__main__":
app.run(debug=True)
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for flask-firebase-admin-0.2.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | d43b60e206ac189d1fe74c20ac6b135a5bc7a91d34b709291df38519c17e1030 |
|
MD5 | ab59ecaa2bd112e963ada9561da8f600 |
|
BLAKE2b-256 | 3c0b2d11a583a966b644497ada315814b50642a9e63710b1b6b27ff929e9e934 |
Hashes for flask_firebase_admin-0.2.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6cca3dcebbc020dafb0e219045ab4dbe33fffd3bb1b525fdbee3d51e37c68ed9 |
|
MD5 | b5971207a9c1edda02aaa50fae7f8ffa |
|
BLAKE2b-256 | 7297293aa39a1d10e95f54ab9cee6c4039f66b0d056ca338505ba1293bcab91a |