The dashboard authentication has been migrated from hardcoded .env credentials to Firebase Authentication with role-based access control. This provides better security, account lockout protection, and audit trails.
// ❌ OLD METHOD - NO LONGER USED
EMAIL_DASHBOARD=admin@example.com
PASSWORD_DASHBOARD=mypassword123
// Simple string comparison (insecure)
if (email !== process.env.EMAIL_DASHBOARD || password !== process.env.PASSWORD_DASHBOARD) {
return error
}// ✅ NEW METHOD - Firebase Authentication
1. User submits email/password to /auth/login
2. Firebase authenticates the credentials
3. System checks if user has ROLE_ADMIN in Firestore
4. If admin, returns Firebase ID token
5. Token is used for subsequent API callsYou need to create a Firebase user account through the Firebase Console or using the Firebase Admin SDK:
- Go to Firebase Console: https://console.firebase.google.com
- Select your project
- Navigate to Authentication > Users
- Click Add User
- Enter:
- Email:
admin@yourdomain.com(your admin email) - Password: Strong password (min 8 characters)
- Email:
- Click Add User
- Copy the User UID (you'll need this for Step 2)
const admin = require('firebase-admin');
async function createAdminUser() {
const userRecord = await admin.auth().createUser({
email: 'admin@yourdomain.com',
password: 'YourStrongPassword123!',
displayName: 'Admin User',
emailVerified: true
});
console.log('Created user with UID:', userRecord.uid);
return userRecord.uid;
}Once you have the User UID, add the admin role to Firestore:
- Go to Firestore Database in Firebase Console
- Navigate to the collection specified in
COLLECTION_NAME_ROLEenv variable - Create a new document with:
- Document ID:
<USER_UID_FROM_STEP_1> - Field:
role(type: array) - Value:
[<VALUE_OF_ROLE_ADMIN_ENV>]
- Document ID:
Example:
Collection: roles
Document ID: abc123xyz (the UID from Step 1)
Field: role = ["admin"]
const admin = require('firebase-admin');
async function assignAdminRole(uid) {
await admin.firestore()
.collection(process.env.COLLECTION_NAME_ROLE)
.doc(uid)
.set({
role: [process.env.ROLE_ADMIN]
});
console.log('Admin role assigned to UID:', uid);
}Remove these from your .env file (if they still exist):
# ❌ REMOVE THESE - NO LONGER NEEDED
EMAIL_DASHBOARD=
PASSWORD_DASHBOARD=Make sure these are set correctly in your .env:
# Required for role verification
COLLECTION_NAME_ROLE=roles
ROLE_ADMIN=admin
# Firebase configuration (should already be set)
FIREBASE_KEY=your-firebase-key
FIREBASE_DOMAIN=your-firebase-domain
FIREBASE_DATABASE=your-firebase-database
FIREBASE_PROJECT_ID=your-project-id
# Optional: Request body size limit
# - Not set: defaults to 10kb (recommended)
# - Set to size: e.g., 1mb, 5mb
# - Set to 'false': no limit (trust Cloudflare)
# BODY_SIZE_LIMIT=10kbcurl -X POST http://localhost:3000/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "admin@yourdomain.com",
"password": "YourStrongPassword123!"
}'{
"ok": true,
"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}Invalid credentials:
{
"ok": false,
"message": "Invalid credentials"
}User exists but not admin:
{
"ok": false,
"message": "Access denied. Admin privileges required."
}Too many failed attempts:
{
"ok": false,
"message": "Too many failed attempts. Please try again later."
}| Old Method | New Method |
|---|---|
❌ Hardcoded in .env |
✅ Firebase managed credentials |
| ❌ No password hashing | ✅ Firebase bcrypt hashing |
| ❌ No account lockout | ✅ Automatic rate limiting |
| ❌ Weak JWT signing | ✅ Firebase ID tokens (RSA-256) |
| ❌ Single point of failure | ✅ Centralized auth management |
| ❌ No audit trail | ✅ Firebase audit logs |
- Account Lockout: Firebase automatically locks accounts after multiple failed attempts
- Token Expiration: Firebase ID tokens expire after 1 hour
- Token Refresh: Supports refresh tokens for seamless re-authentication
- Password Reset: Can use Firebase password reset flows
- 2FA Support: Can enable 2FA on admin accounts in Firebase
To add additional admin users:
- Create user in Firebase (Step 1 above)
- Assign admin role in Firestore (Step 2 above)
- Done! They can now login with their credentials
To remove admin privileges:
- Go to Firestore
- Find the user's document in
COLLECTION_NAME_ROLEcollection - Either:
- Delete the document (removes all roles)
- Remove
ROLE_ADMINfrom therolearray
- User can no longer access admin endpoints
- Check that the user exists in Firebase Authentication
- Verify email is exactly correct (case-sensitive)
- Check Firebase logs for authentication errors
- Verify user has admin role in Firestore
- Check that
COLLECTION_NAME_ROLEenv variable matches your collection name - Check that
ROLE_ADMINenv variable matches the role value (usually "admin") - Verify the document ID in Firestore matches the user's UID
- Wait 15-30 minutes for Firebase to reset the counter
- Or reset the user's password in Firebase Console
If you had a working .env setup before:
- Your old credentials won't work anymore
- You MUST create a Firebase user account (Step 1)
- You MUST assign the admin role (Step 2)
- Update your client applications to use the new login endpoint
- ✅ Set up your first admin user (Steps 1-2 above)
- ✅ Test the login flow
- ✅ Remove old
EMAIL_DASHBOARDandPASSWORD_DASHBOARDfrom.env - ✅ Update any client applications using the login API
- 🔐 Consider enabling 2FA on admin accounts in Firebase Console
- 📝 Document your admin users and their access levels
If you encounter issues:
- Check Firebase Console for authentication errors
- Verify Firestore has the correct role assignments
- Check application logs for detailed error messages
- Review the security audit report for additional context