Skip to main content

Cross-Project Firebase Authentication Pattern

Overview​

toto-app and toto-app-stg each have their own independent Firebase Authentication. toto-bo uses cross-authentication with the respective toto-app environment:

  • toto-bo (production) authenticates against toto-app (toto-f9d2f)
  • toto-bo-stg (staging) authenticates against toto-app-stg (toto-f9d2f-stg)

This allows the backoffice to use the same user accounts as the main app while maintaining environment isolation.

Core Principle​

βœ… toto-app: Uses its own auth (toto-f9d2f)
βœ… toto-app-stg: Uses its own auth (toto-f9d2f-stg)
βœ… toto-bo: Cross-auth with toto-app (toto-f9d2f)
βœ… toto-bo-stg: Cross-auth with toto-app-stg (toto-f9d2f-stg)

Implementation​

Environment Variables​

toto-app​

VariableProductionStagingPurpose
FIREBASE_PROJECT_IDtoto-f9d2ftoto-f9d2f-stgAuth and data storage

toto-bo​

VariableProductionStagingPurpose
FIREBASE_AUTH_PROJECT_IDtoto-f9d2ftoto-f9d2f-stgAuth token verification (cross-auth)
FIREBASE_PROJECT_IDtoto-f9d2ftoto-f9d2f-stgData storage

Why This Pattern?​

  1. Environment Isolation: Each environment (production/staging) has its own auth system
  2. Cross-Project Authentication: Backoffice can authenticate users from the main app
  3. User Account Consistency: Staging backoffice uses staging app accounts, production uses production accounts
  4. Data Isolation: Staging data remains separate from production

Implementation Details​

toto-app Configuration​

Production (apphosting.production.yaml):

env:
  - variable: FIREBASE_PROJECT_ID
    value: toto-f9d2f

Staging (apphosting.staging.yaml):

env:
  - variable: FIREBASE_PROJECT_ID
    value: toto-f9d2f-stg

toto-bo Configuration​

Production (apphosting.production.yaml):

env:
  - variable: FIREBASE_AUTH_PROJECT_ID
    value: toto-f9d2f  # Cross-auth with toto-app
  - variable: FIREBASE_PROJECT_ID
    value: toto-f9d2f
  - variable: NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN
    value: toto-f9d2f.firebaseapp.com
  - variable: NEXT_PUBLIC_FIREBASE_PROJECT_ID
    value: toto-f9d2f

Staging (apphosting.staging.yaml):

env:
  - variable: FIREBASE_AUTH_PROJECT_ID
    value: toto-f9d2f-stg  # Cross-auth with toto-app-stg
  - variable: FIREBASE_PROJECT_ID
    value: toto-f9d2f-stg
  - variable: NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN
    value: toto-f9d2f-stg.firebaseapp.com
  - variable: NEXT_PUBLIC_FIREBASE_PROJECT_ID
    value: toto-f9d2f-stg

Code Implementation​

toto-app​

Uses its own Firebase project for both auth and data:

// Production: toto-f9d2f
// Staging: toto-f9d2f-stg
const app = initializeApp({
  projectId: process.env.FIREBASE_PROJECT_ID,
});

const auth = getAuth(app);
const db = getFirestore(app);

toto-bo​

Uses cross-authentication with the respective toto-app environment:

// Initialize with data project
const app = initializeApp({
  projectId: process.env.FIREBASE_PROJECT_ID, // toto-f9d2f or toto-f9d2f-stg
});

// Initialize with auth project (cross-auth with toto-app)
const authProjectId = process.env.FIREBASE_AUTH_PROJECT_ID; // toto-f9d2f or toto-f9d2f-stg
const authApp = initializeApp({
  projectId: authProjectId,
}, 'auth');

// Get auth instance from toto-app (cross-auth)
const auth = getAuth(authApp);

// Get firestore from toto-bo's own database
const db = getFirestore(app);

Security Considerations​

  1. Token Verification: Verified against the respective toto-app environment's Firebase Auth
  2. Data Isolation: Each environment has its own separate database
  3. Access Control: Firestore security rules apply per environment
  4. No Cross-Contamination: Production and staging environments are completely isolated

Benefits​

  • βœ… Environment Isolation: Each environment has independent authentication
  • βœ… Cross-Project Integration: Backoffice can authenticate users from the main app
  • βœ… Data Safety: Production and staging data remain completely separate
  • βœ… Consistent Experience: Same authentication flow within each environment

Migration Notes​

When migrating from the old pattern (shared production auth):

  1. Update FIREBASE_AUTH_PROJECT_ID in staging to use toto-f9d2f-stg
  2. Update frontend Firebase config (NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN, NEXT_PUBLIC_FIREBASE_PROJECT_ID) in staging
  3. Update Firebase Admin initialization code comments
  4. Verify token verification works correctly in both environments
  5. Test that staging uses staging auth and production uses production auth