Authentication
Firebase Auth integration across all platforms β login, token management, route protection, and biometrics handled out of the box. You configure auth parameters and customize post-login routing.
What the Foundation Provides
| Capability | Flutter | Angular | React (Web) | React Native |
|---|---|---|---|---|
| Email/password login | β | β | β | β |
| OAuth (Google, Apple) | β | β | β | β |
| Password reset / management | β | β | β | β |
| Email verification | β | β | β | β |
| Token refresh | β (automatic via Firebase) | β (automatic via Firebase) | β (useUserTokenRefresh) | β (useIdToken) |
| Auth interceptors | β (Dio interceptor) | β (HTTP interceptor) | β (Axios interceptor) | β (Axios interceptor) |
| Route/screen protection | β (navigation service) | β (multi-layered guards) | β (middleware) | β (Stack.Protected) |
| Session timeout | β | β (1hr default, 30min warning) | β (inactivity monitor) | β |
| Biometric login | β (Face ID / Touch ID) | β | β | β (Face ID / Touch ID) |
| Secure credential storage | β (FlutterSecureStorage) | β | β (cookie via middleware) | β (Expo SecureStore) |
| RBAC / Permissions | β (sdk_access) | β (access-web + Firestore) | β (access-frontend-sdk) | β |
| Pre-built auth UI | β | β (login, signup, password reset) | β (Login, ForgotPassword, ManagePassword) | β (Login, VerifyEmail, ManagePassword) |
How It Works
Token Flow
All platforms follow the same pattern: Firebase Auth issues JWTs with custom claims (roles, products, tenant). Tokens are automatically refreshed by the Firebase SDK and attached to every API request via platform-specific interceptors.
Custom claims structure:
{
appUserId: string
bootstrapTenantKey: string
customerKey: string
products: string[]
roles: string[]
email_verified: boolean
}Auth Interceptors
Every outbound HTTP request gets auth headers attached automatically:
| Header | Purpose | Platforms |
|---|---|---|
Authorization: Bearer <jwt> | API authentication | All |
X-TENANT-ID | Multi-tenant routing | All |
X-Firebase-AppCheck | Request integrity verification | Flutter, React/RN |
X-Service-Request | Opt-in token injection flag | Angular |
Flutter uses a Dio RestClientInterceptor that also checks network connectivity before every request. Two variants exist: public (allows unauthenticated) and authenticated (rejects if no user).
Angular uses HttpServiceInterceptor gated by an X-Service-Request header flag, reading tokens from localStorage.
React / RN uses Axios interceptors in the RestClient with automatic retry and tenant header injection.
Route Protection
| Platform | Mechanism | Pattern |
|---|---|---|
| Flutter | Abstract NavigationService | Module facades control screen entry; auth state drives navigation |
| Angular | Multi-layered guards | superGuard enforces: Authenticated β Terms β Email Verified β Destination |
| React (Web) | Next.js middleware | next-firebase-auth-edge validates on every server request with role-based redirects |
| React Native | Expo Router | Stack.Protected with guard={isAuthenticated} |
RBAC
Flutter and Angular both implement a product Γ role β permissions model backed by Firestore. The Angular implementation (@engineering11/access-web) stores permission maps in access_permission_maps/ and exposes PermissionStore, PermissionsGuard, and UseLimitService. React web provides PermissionProvider with hook-based permission checks.
What You Customize
| You Provide | Example |
|---|---|
| Auth config (URLs, tenant ID) | AuthConfig, BaseAuthConfigProvider, Firebase project IDs |
| Post-auth routing | Where to redirect after login, role-based landing pages |
| Logout cleanup | Unsubscribe Firestore listeners, clear notification tokens, reset stores |
| Permission definitions | Which permissions map to which roles for your product |
| Login screen branding | Applied via the theming system, not auth code |
Next Steps
- Theming & White-Label β How the theme system works
- Error Handling β Structured error patterns
- Platforms β Platform-specific deep dives