A minimal authentication system built with React (frontend), Node.js + Express (backend), and Firebase Authentication. Supports Phone OTP, Google Sign-In, and Email/Password with account linking. Uses session cookies for secure persistence and stores user profiles in Firestore.
- Phone OTP (with Firebase reCAPTCHA)
- Google Sign-In
- Email/Password login
- Account linking (phone + Google + email)
- Secure session cookies (HttpOnly, Secure, SameSite=Strict)
- Firestore rules enforce per-user isolation
- Ready for Firebase Emulator Suite
- Node.js >= 18
- A Firebase project (the free tier is sufficient)
- Firebase CLI (
npm install -g firebase-tools)
Follow these steps to get the project up and running on your local machine.
git clone https://github.com/your-username/my-auth-app.git
cd my-auth-appcd backend && npm install
cd ../frontend && npm install- Go to the Firebase Console.
- Click on "Add project" and follow the steps to create a new project.
- In your new project, go to the Authentication section (from the left-hand menu).
- Click on the "Sign-in method" tab.
- Enable the following providers:
- Email/Password
- Phone
- Go to your Project Settings (click the gear icon next to "Project Overview").
- In the "General" tab, scroll down to "Your apps".
- Click on the Web icon (
</>) to create a new web app. - Give it a nickname and register the app.
- Firebase will give you a
firebaseConfigobject. You will need these values for yourfrontend/.envfile.
- In your Project Settings, go to the "Service accounts" tab.
- Click on "Generate new private key". This will download a JSON file.
- Rename this file to
serviceAccount.jsonand place it in thebackenddirectory.
- Phone authentication uses reCAPTCHA to prevent abuse.
- Go to the Google Cloud Console and set up a new reCAPTCHA v3 key.
- You will get a "Site Key". This is the value for
VITE_RECAPTCHA_SITE_KEYin yourfrontend/.envfile.
- In the Firebase Console, go to the Firestore Database section.
- Click "Create database" and start in test mode.
Create a .env file in both the frontend and backend directories. You can copy the contents from the .env.example files.
backend/.env
PORT=4000
FIREBASE_PROJECT_ID=your-project-id
GOOGLE_APPLICATION_CREDENTIALS=./serviceAccount.json
SESSION_COOKIE_NAME=__session
SESSION_EXPIRES_IN=432000000 # 5 days in ms
NODE_ENV=development
frontend/.env
VITE_API_BASE_URL=http://localhost:4000
VITE_FIREBASE_API_KEY=your-api-key-from-step-3c
VITE_FIREBASE_AUTH_DOMAIN=your-project-id.firebaseapp.com
VITE_FIREBASE_PROJECT_ID=your-project-id
VITE_FIREBASE_APP_ID=your-app-id
VITE_RECAPTCHA_SITE_KEY=your-recaptcha-site-key-from-step-3e
To deploy the security rules for Firestore, run the following command from the root of the project:
firebase deploy --only firestore:rulescd backend
npm run devcd frontend
npm run devTo develop locally without connecting to your live Firebase project, you can use the Firebase Emulator Suite.
firebase emulators:start --only auth,firestore/my-auth-app
/backend
/src
/frontend
/src
/docs
README.md
firebase.json
firebase.rules
- Unit tests: Jest + Supertest (backend), React Testing Library (frontend)
- E2E: Playwright or Cypress with Firebase Emulator
- Session cookies are HttpOnly, Secure, SameSite=Strict
- reCAPTCHA required for phone OTP
- Strong password policy for email/password
- Firestore rules prevent cross-user access
- Password reset & email verification
- Roles (admin/user)
- Multi-factor auth (MFA)
- Deployment (Netlify + Render/Cloud Run)
MIT