Improve authentication

[akkomar]

Currently application is secured with Firebase Google sign-in, allowing anyone with Google account to log in. Data is secured with Firestore rules, allowing only accounts from mozilla.com to access it [1]. Non-Mozilla accounts will see empty views after logging in - this is acceptable for 'beta', but should be improved going forward.

We should either:

• block non-Mozilla accounts from signing in
• secure this with our SSO (because we don't have a backend now it might force us to create it and manage hosting on our own, otherwise cloud functions might be an option) - at this point this seems to be preferable solution that would be consistent with other services
• secure this with IAP (needs investigating, according to documentation this might not be possible)

[akkomar]

In order to integrate with Mozilla SSO, we need:

• Auth0 authentication on the client side (example)
• Cloud Function for verifying Auth0 authentication tokens passed from the client and minting custom Firebase tokens
• afterwards, custom Firebase token can be returned to the client for signing in

[whd]

We'll also need to eventually restrict access to pings based on workgroups metadata. We discussed this during initially rally -> glean talks and sidestepped it by not implementing debug-ping-view there. However, as I was putting together the contextual services pipeline I sent an example ping that wound up on https://debug-ping-preview.firebaseapp.com/pings/whd. This is by some definitions an ACL violation since source tables are restricted to workgroup:contextual-services and debug-ping-view is implemented to only support workgroup:mozilla-confidential.

I decided to update this almost 2-year old issue as the least effort solution to track the need to address this at some point, but I don't consider this to be a high priority (generally people who are setting the debug header know what they are doing and are simply debugging with fake data).