Add Firebase (a Firebase Admin app) to a Flask application.
pip install flask-firebase-adminIn the simplest case, let's protect a route, specifically, we'll require a user to provide a firebase jwt to one of our routes:
from flask import Flask, request
from flask_firebase_admin import FirebaseAdmin
app = Flask(__name__)
firebase = FirebaseAdmin(app) # uses GOOGLE_APPLICATION_CREDENTIALS
@app.route("/unprotected")
def unprotected():
return {"message": "Hello anonymous user!"}
@app.route("/protected")
@firebase.jwt_required # This route now requires authorization via firebase jwt
def protected():
# By default JWT payload is stored under request.jwt_payload
return {"message": f"Hello {request.jwt_payload['email']}!"}
if __name__ == "__main__":
app.run(debug=True)Assuming the code above is located in a module named app.py, start the Flask application:
GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_account.json" python app.pyAnd in a separate terminal window, ping the unprotected route:
$ curl http://127.0.0.1:5000/unprotected
{
"message": "Hello anonymous user!"
}Looks good. Now the protected route:
$ curl http://127.0.0.1:5000/protected
{
"error": {
"message": "No credentials provided"
}
}OK, makes sense. Now with some credentials:
$ TOKEN="your-firebase-token ..."
$ curl -H "Authorization: Bearer ${TOKEN}" http://127.0.0.1:5000/protected
{
"message": "Hello <your@email.com>!"
}Excellent. We now have a application with routes (one route) which require the user to provide their Firebase JWT to access!
Internally the jwt_required method provided by the FirebaseAdmin object calls the firebase_admin.auth.verify_id_token function which returns a dictionary of key-value pairs parsed from the decoded JWT. This dictionary is accessible via the request object provided by flask, specifically, this information is attached to the request.jwt_payload attribute by default.
Note: The following groups of configuration parameters are mutually exclusive:
FIREBASE_ADMIN_APP(This config parameter takes precendence and if specified then configuration from the other group is ignored)
FIREBASE_ADMIN_CREDENTIAL
FIREBASE_ADMIN_OPTIONS
FIREBASE_ADMIN_NAME
FIREBASE_ADMIN_RAISE_IF_APP_EXISTS
The FirebaseAdmin object can be configured in the following ways:
-
FIREBASE_ADMIN_CREDENTIALDefaults to
None. This is the credential passed to the call tofirebase_admin.initialize_app. When this parameter is None the Firebase Admin application tries to initialize usingGOOGLE_APPLICATION_CREDENTIALS. If initializing the Firebase Admin app with theGOOGLE_APPLICATION_CREDENTIALSenvironment variable is undesirebale, credentials can be created manually, for example:app = Flask(__name__) app.config["FIREBASE_ADMIN_CREDENTIAL"] = credentials.Certificate("/path/to/key.json") firebase = FirebaseAdmin(app) # no longer uses GOOGLE_APPLICATION_CREDENTIALS
Or perhaps something like:
app = Flask(__name__) cert = { "type": "service_account", "project_id": os.getenv("PROJECT_ID"), "private_key_id": os.getenv("PRIVATE_KEY_ID"), "private_key": os.getenv("PRIVATE_KEY"), "client_email": os.getenv("CLIENT_EMAIL"), "client_id": os.getenv("CLIENT_ID"), "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": os.getenv("CLIENT_X509_CERT_URL"), } app.config["FIREBASE_ADMIN_CREDENTIAL"] = credentials.Certificate(cert) firebase = FirebaseAdmin(app) # no longer uses GOOGLE_APPLICATION_CREDENTIALS
-
FIREBASE_ADMIN_OPTIONSDefaults to
None. This config is passed directly toadmin.initialize_app()as the secondoptionsargument. From the Firebase Admin SDK docs: A dictionary of configuration options (optional). Supported options include databaseURL, storageBucket, projectId, databaseAuthVariableOverride, serviceAccountId and httpTimeout. If httpTimeout is not set, the SDK uses a default timeout of 120 seconds. -
FIREBASE_ADMIN_NAMEDefaults to
'[DEFAULT]'. This config is passed directly toadmin.initialize_app()as the thirdnameargument. -
FIREBASE_ADMIN_AUTHORIZATION_SCHEMEDefaults to
'Bearer'. This is the authorization scheme expected by theFirebaseAdminobject. Changing this parameter changes the format of the auth header that is required by the client. For example, if we set this to'JWT'we would then need to include an authorization header of the form:Authorization: JWT <token>when making requests to protected routes. -
FIREBASE_ADMIN_CHECK_REVOKEDDefaults to
True. This parameter is passed as thecheck_revokedargument in the call tofirebase_admin.auth.verify_id_token(). -
FIREBASE_ADMIN_PAYLOAD_ATTRDefaults to
'jwt_payload'. This is attribute on the flaskrequestobject from which we can access the JWT payload data. If we were to change this to, say,'jwt'we would then access the JWT payload usingrequest.jwt -
FIREBASE_ADMIN_RAISE_IF_APP_EXISTSDefaults to
True. Internally,flask-firebase-admincallsadmin.initialize_app(), if the app with the configured name already exists the Firebase Admin SDK raises aValueErrorexception. When this config variable is set toFalse,flask-firebase-adminwill catch this error, get, and subsequently use the existing admin app by the given name. -
FIREBASE_ADMIN_APPDefaults to
None. This is a way to explicity provided theFirebaseAdminextension with a particular firebase admin app to use. For example:import firebase_admin from flask import Flask from flask_firebase_admin import FirebaseAdmin # elsewhere ... default_admin_app = firebase_admin.initialize_app() other_admin_app = firebase_admin.initialize_app(other_creds, other_options, other_name) # then ... app = Flask(__name__) app.config["FIREBASE_ADMIN_APP"] = other_admin_app # now firebase.jwt_required will use other_admin_app for authentication firebase = FirebaseAdmin(app)
An example using more of the available configuration:
from flask import Flask, request
from firebase_admin import credentials
from flask_firebase_admin import FirebaseAdmin
app = Flask(__name__)
app.config["FIREBASE_ADMIN_CREDENTIAL"] = credentials.Certificate("/path/to/key.json")
app.config["FIREBASE_ADMIN_AUTHORIZATION_SCHEME"] = "JWT"
app.config["FIREBASE_ADMIN_CHECK_REVOKED"] = False # don't check for revoked tokens
app.config["FIREBASE_ADMIN_PAYLOAD_ATTR"] = "firebase_jwt"
# initialized with credentials defined above, not GOOGLE_APPLICATION_CREDENTIALS
firebase = FirebaseAdmin(app)
@app.route("/unprotected")
def unprotected():
return {"message": "Hello anonymous user!"}
@app.route("/protected")
@firebase.jwt_required # This route now requires authorization via firebase jwt
def protected():
# we now access the JWT payload using request.firebase_jwt
return {"message": f"Hello {request.firebase_jwt['email']}!"}
if __name__ == "__main__":
app.run(debug=True)To call the /protected route we have to update our auth header that we sent originally:
$ TOKEN="your-firebase-token ..."
$ curl -H "Authorization: JWT ${TOKEN}" http://127.0.0.1:5000/protected
{
"message": "Hello <your@email.com>!"
}For convenience, the modules in the firebase_admin package are aliased as class-level attributes on the FirebaseAdmin object. For example:
from flask import Flask
from flask_firebase_admin import FirebaseAdmin
app = Flask(__name__)
firebase = FirebaseAdmin(app)
db = firebase.firestore.client() # <-- connect firestore client
@app.route("/unprotected")
def unprotected():
return {"message": "Hello anonymous user!"}
@app.route("/protected")
@firebase.jwt_required
def protected():
# do stuff in firestore using the db object defined above.
...
if __name__ == "__main__":
app.run(debug=True)- Have or install a recent version of
poetry(version >= 1.1) - Fork the repo
- Setup a virtual environment (however you prefer)
- Run
poetry install - Run
pre-commit install - Add your changes (adding/updating tests is always nice too)
- Commit your changes + push to your fork
- Open a PR