Integrating Firebase Authentication with Lovable

Book a call with an Expert

Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.

Why Firebase Integration Needs Manual Setup in Lovable

Firebase requires manual setup in Lovable because key Firebase steps must happen outside of app code (in Google/Firebase consoles) and require secure secrets and CLI operations that Lovable’s chat environment can’t run for you. You must create the Firebase project, enable providers/APIs, register OAuth redirect/authorized domains, and provision service-account credentials manually — then supply those values into Lovable’s Secrets UI or a synced GitHub repo. Lovable can edit your app files and add placeholders, but it cannot perform console actions, run the Firebase CLI, or safely retrieve private Google service-account keys for you.

Why this is necessary (details)

Console-only resources: Creating a Firebase project, enabling OAuth providers, setting authorized domains, and enabling APIs are done in the Firebase/GCP web consoles — these aren’t actions you can run from Lovable’s editor.
Secrets & security: Admin credentials (service-account JSON, API keys, client secrets) must be kept out of source. Lovable provides a Secrets UI to store these, but you must upload or paste them manually — Lovable won’t fetch them for you.
CLI-dependent steps: Initializing functions, deploying rules, and running emulators use firebase/gcloud CLIs. Lovable has no terminal, so those deploys must be done outside Lovable (local machine or CI). Use GitHub export/sync if you need CI-based deploys.
Domain/redirect nuance: Auth redirect URIs and authorized domains must match your Lovable preview/published domains. Previews are ephemeral; you’ll often need to add both preview and production domains manually in the Firebase console.
Server vs client config: Admin SDKs need private keys server-side (store in Lovable Secrets or external CI secret store), while client SDK needs only public config — you must place these in the right scope yourself.

Lovable prompt(s) you can paste to create guidance/checklist inside your project

// Please create file docs/FIREBASE_MANUAL_SETUP.md with the exact content below
// This file intentionally explains the manual steps required outside Lovable
# FIREBASE MANUAL SETUP (for Lovable projects)

// 1) Console steps (Firebase/GCP)
// - Create a Firebase project in the Firebase Console.
// - Enable the Authentication providers you need (Email, Google, etc.).
// - Add your Lovable preview domain(s) and published domain to "Authorized domains" and OAuth redirect URIs.
// - If using server-side functions, enable required Google APIs and create a service account with the needed roles.
// - Download the service-account JSON (keep it private).

// 2) What to store in Lovable Secrets UI
// - FIREBASE_API_KEY (public key)
// - FIREBASE_AUTH_DOMAIN
// - FIREBASE_PROJECT_ID
// - FIREBASE_APP_ID
// - FIREBASE_SERVICE_ACCOUNT (paste full service-account JSON here; mark as secret)
// - Any OAuth client secret values (if applicable)

// 3) Deploy notes (outside Lovable)
// - Deploying Firebase Functions or running the Emulator requires the Firebase CLI or gcloud CLI.
// - These steps must be run locally or in CI (use GitHub export/sync for CI deployment).
// - Example: firebase deploy --only functions (run on your machine or CI).
//
// 4) Important reminders
// - Do NOT commit service-account JSON to source control.
// - Ensure authorized domains include both preview and production domains used by Lovable.
// - Use Lovable Secrets UI to add the keys; reference them in code via environment variables or runtime secrets.

// Please create file .lovable/firebase-placeholders.md with the exact content below
// This file provides placeholders Lovable can safely keep in repo; replace at runtime via Secrets UI.
# Firebase placeholders for code

// Create a lightweight module or env example to be filled from Secrets UI or CI.
// Do NOT commit real keys here — replace with secret bindings in Lovable.

export const FIREBASE_CONFIG_PLACEHOLDER = {
  // // Replace these with values set in Lovable Secrets UI or GitHub secrets
  apiKey: "FIREBASE_API_KEY_FROM_SECRETS",
  authDomain: "FIREBASE_AUTH_DOMAIN_FROM_SECRETS",
  projectId: "FIREBASE_PROJECT_ID_FROM_SECRETS",
  appId: "FIREBASE_APP_ID_FROM_SECRETS"
};

// For server-side Admin SDK, configure to load FIREBASE_SERVICE_ACCOUNT from Secrets UI.

Still stuck?
Copy this prompt into ChatGPT and get a clear, personalized explanation.

This prompt helps an AI assistant understand your setup and guide you through the fix step by step, without assuming technical knowledge.

AI AI Prompt



You are a senior frontend engineer and no-code/low-code specialist. You are familiar with Lovable-style generated projects and the common patterns and pitfalls they produce (static HTML+JS files, no terminal, limited file editor, CDN-only library loading, and generated code that may use global or module patterns inconsistently). Work within these constraints and always explain things in calm, non-technical language suitable for a non-technical person editing files in a project UI.

Constraints you must follow while producing the solution:
- No terminal or command-line steps — only edit, create, or remove files inside the project editor.
- No package installs or dependency managers — use CDN scripts or pure language examples.
- Give step-by-step instructions that are reversible (explain how to undo each change).
- Keep explanations beginner-friendly; explain both what to do and why it works.
- When offering code, include full files or paste-ready snippets inside code blocks.
- Offer both a JavaScript/TypeScript (client-side) option and a Python option (server-side or verification) even if the user hasn't chosen a language.
- Prefer safe defaults and avoid risky suggestions (don’t expose private keys in shared areas; recommend appropriate security checks).
- If something requires deeper engineering beyond simple edits, recommend escalation (see troubleshooting guidance later).

Objective
Goal: Integrating Firebase Authentication with Lovable
- Simple outcome-focused goal: Add Firebase Authentication to a Lovable-style project using only the project editor — no terminal, no installs — so users can sign up, sign in, and sign out safely and predictably.

Success looks like:
- A small set of files added to the project with clear names and locations.
- A visible Sign Up and Sign In UI in the HTML that connects to Firebase Auth via CDN scripts.
- Clear, readable error handling that shows helpful messages to users and logs developer-friendly errors to the console.
- Minimal, reversible edits that do not change generated application architecture.
- A basic server-side or verification snippet in Python for projects that later add secure token checks (optional, separate file).

Quick clarification (max 5 questions)
Answer these before I tailor the steps. If you don’t know, say “not sure” and I’ll proceed with safe defaults.
1) Do you want the client-only implementation (JavaScript modules via CDN) or will you later use a server to verify tokens? (answer: "client" / "server" / "not sure")
2) Which file in your Lovable project is the main HTML file? (common names: index.html) If not sure, say “not sure”.
3) Do you prefer ES modules (import/export) in files or classic script global variables? (answer: "modules" / "globals" / "not sure")
4) Do you already have a Firebase project and its configuration values (API key, authDomain, appId)? (answer: "yes" / "no" / "not sure")
5) Would you like friendly on-screen error messages for users or only console logs for now? (answer: "on-screen" / "console" / "not sure")

Plain-language explanation (5–8 lines)
Firebase Authentication is a service that lets people sign up and sign in to your app using email/password (and other methods). In Lovable-style editors you cannot run package installers, so we load Firebase from their hosted scripts (CDN) and add simple files that call Firebase functions. This keeps everything editable in the project UI. You add configuration that tells the app which Firebase project to use; the app then uses Firebase Auth methods to create accounts and sign users in and out.

Find the source (no terminal)
Use this checklist inside your project editor to locate what to change. No debugging tools, only file search and console logging:
- Open your main HTML file (look for index.html or main.html). If unsure, search the file list for a top-level HTML.
- Search-in-files for "<script" or "firebase" to find any existing Firebase code.
- Search-in-files for "signIn" or "signUp" to find existing authentication handlers generated by the tool.
- Add console.log debug lines in scripts you edit (for example, console.log('firebase-init loaded')) to confirm the file runs when you reload the page.
- If user clicks don’t trigger actions, add console.log at the start of the click handler to verify that the button is wired.
- If an imported module fails to load, open the browser console (in the editor preview or your browser) and copy the first 20 lines of the error message to paste back here.

Complete solution kit (step-by-step)
Below are small, copy-paste-ready files. Use the file names exactly. All files are safe to remove to revert changes.

JavaScript / TypeScript option (client-side, module-based approach)
Files to create inside the project editor:
1) index.html — the main page where you add CDN scripts and UI
2) firebase-config.js — store Firebase project configuration and initialization
3) user-auth.js — signUp, signIn, signOut helpers

Create or replace index.html (edit the head and body sections as shown):
```
<!doctype html>
<html>
  <head>
    <meta charset="utf-8" />
    <title>Lovable App — Auth Demo</title>

    <!-- Firebase CDN (client-only, version chosen for compatibility) -->
    <script src="https://www.gstatic.com/firebasejs/9.22.1/firebase-app.js"></script>
    <script src="https://www.gstatic.com/firebasejs/9.22.1/firebase-auth.js"></script>

    <!-- Your configuration file (module-free shim loader) -->
    <script src="./firebase-config.js"></script>

    <!-- Your auth logic that depends on firebase-config.js -->
    <script type="module" src="./user-auth.js"></script>
  </head>
  <body>
    <h1>Authentication</h1>

    <div id="auth-ui">
      <input type="email" id="emailInput" placeholder="Enter your email" />
      <input type="password" id="passwordInput" placeholder="Enter your password" />
      <button id="signUpButton">Sign Up</button>
      <button id="signInButton">Sign In</button>
      <button id="signOutButton">Sign Out</button>
      <div id="authMessage" role="status" aria-live="polite"></div>
    </div>

    <script>
      // Lightweight wiring to connect the module to the DOM when loaded.
      // This runs after module scripts have executed.
      window.addEventListener('load', () => {
        // simple guard to avoid errors if functions aren't exported yet
        if (window.LOVABLE_AUTH && typeof window.LOVABLE_AUTH.attachUi === 'function') {
          window.LOVABLE_AUTH.attachUi({
            emailId: 'emailInput',
            passwordId: 'passwordInput',
            signUpId: 'signUpButton',
            signInId: 'signInButton',
            signOutId: 'signOutButton',
            messageId: 'authMessage'
          });
        } else {
          console.log('LOVABLE_AUTH helpers not found yet. If auth fails, check user-auth.js exports.');
        }
      });
    </script>
  </body>
</html>
```

Create firebase-config.js (replace YOUR_* placeholders with your Firebase console values):
```
/*
  firebase-config.js
  Purpose: Initialize Firebase in a Lovable project without modules.
  Replace the placeholder strings with your Firebase project's configuration.
*/

(function () {
  // Replace these values with your Firebase project details
  var firebaseConfig = {
    apiKey: "YOUR_API_KEY",
    authDomain: "YOUR_PROJECT_ID.firebaseapp.com",
    projectId: "YOUR_PROJECT_ID",
    storageBucket: "YOUR_PROJECT_ID.appspot.com",
    messagingSenderId: "YOUR_SENDER_ID",
    appId: "YOUR_APP_ID"
  };

  // Initialize Firebase app and auth as globals the other files can use
  try {
    window.__lovableFirebaseApp = firebase.initializeApp(firebaseConfig);
    window.__lovableFirebaseAuth = firebase.auth();
    console.log('Firebase initialized (global):', window.__lovableFirebaseApp ? 'ok' : 'failed');
  } catch (err) {
    console.error('Firebase init error:', err && err.message ? err.message : err);
  }
})();
```

Create user-auth.js (module) — read-only style exports and attach helpers to window:
```
/*
  user-auth.js
  Purpose: Provide signUp, signIn, signOut helpers and a small UI-attacher.
  It uses the globals created by firebase-config.js so no package installs are required.
*/

export function signUp(email, password, onResult) {
  const auth = window.__lovableFirebaseAuth;
  if (!auth) {
    const err = new Error('Auth not initialized');
    console.error(err);
    if (onResult) onResult(err);
    return;
  }
  auth.createUserWithEmailAndPassword(email, password)
    .then(userCredential => {
      console.log('User signed up:', userCredential.user);
      if (onResult) onResult(null, userCredential.user);
    })
    .catch(error => {
      console.error('Sign up error:', error && error.message);
      if (onResult) onResult(error);
    });
}

export function signIn(email, password, onResult) {
  const auth = window.__lovableFirebaseAuth;
  if (!auth) {
    const err = new Error('Auth not initialized');
    console.error(err);
    if (onResult) onResult(err);
    return;
  }
  auth.signInWithEmailAndPassword(email, password)
    .then(userCredential => {
      console.log('User signed in:', userCredential.user);
      if (onResult) onResult(null, userCredential.user);
    })
    .catch(error => {
      console.error('Sign in error:', error && error.message);
      if (onResult) onResult(error);
    });
}

export function signOut(onResult) {
  const auth = window.__lovableFirebaseAuth;
  if (!auth) {
    const err = new Error('Auth not initialized');
    console.error(err);
    if (onResult) onResult(err);
    return;
  }
  auth.signOut()
    .then(() => {
      console.log('User signed out.');
      if (onResult) onResult(null);
    })
    .catch(error => {
      console.error('Sign out error:', error && error.message);
      if (onResult) onResult(error);
    });
}

// Helper to connect the UI elements in index.html to the functions above.
// We attach a global window.LOVABLE_AUTH to allow the inline init script to call attachUi.
window.LOVABLE_AUTH = {
  signUp,
  signIn,
  signOut,
  attachUi(options = {}) {
    const get = id => document.getElementById(id);
    const email = get(options.emailId);
    const password = get(options.passwordId);
    const btnSignUp = get(options.signUpId);
    const btnSignIn = get(options.signInId);
    const btnSignOut = get(options.signOutId);
    const message = get(options.messageId);

    function showMessage(text, isError) {
      if (message) {
        message.textContent = text || '';
        message.style.color = isError ? 'crimson' : 'green';
      } else {
        console.log('auth message:', text);
      }
    }

    if (btnSignUp) {
      btnSignUp.addEventListener('click', () => {
        showMessage('Signing up...', false);
        signUp(email.value, password.value, (err, user) => {
          if (err) showMessage('Sign up failed: ' + (err.message || err), true);
          else showMessage('Sign up successful. Welcome!', false);
        });
      });
    }

    if (btnSignIn) {
      btnSignIn.addEventListener('click', () => {
        showMessage('Signing in...', false);
        signIn(email.value, password.value, (err, user) => {
          if (err) showMessage('Sign in failed: ' + (err.message || err), true);
          else showMessage('Sign in successful. Welcome back!', false);
        });
      });
    }

    if (btnSignOut) {
      btnSignOut.addEventListener('click', () => {
        showMessage('Signing out...', false);
        signOut(err => {
          if (err) showMessage('Sign out failed: ' + (err.message || err), true);
          else showMessage('Signed out.', false);
        });
      });
    }
  }
};
```

How to undo changes:
- Remove the three files (index.html changes can be reverted by restoring the original index.html from backup or removing the added script tags and UI). Each file is standalone, so deleting them returns the project to prior state.

Python option (server-side verification snippet) — optional, for a separate server that checks Firebase ID tokens
Note: In Lovable you cannot run a Python server from the editor, but if you later deploy a backend or serverless function, use this snippet to verify tokens. Save as verify_token.py on your server or function runtime.

```
# verify_token.py
# Purpose: Verify Firebase ID tokens on a backend (requires firebase-admin and a service account).
# This is for later server-side verification and is not for the Lovable editor itself.
# Use only on a secure server environment.

import firebase_admin
from firebase_admin import auth, credentials

# Initialize once using a service account JSON that you store securely on the server.
cred = credentials.Certificate('/path/to/serviceAccountKey.json')
firebase_admin.initialize_app(cred)

def verify_id_token(id_token):
    try:
        decoded = auth.verify_id_token(id_token)
        # decoded contains uid and other claims
        return decoded, None
    except Exception as e:
        return None, str(e)

# Example usage inside a web framework:
# token = request.headers.get('Authorization', '').replace('Bearer ', '')
# decoded, err = verify_id_token(token)
# if err: return 401, 'Unauthorized'
# else: proceed with decoded['uid']
```

Integration examples (required)
Example 1 — Simple sign-up flow in the page (module approach)
```
Where to paste:
- index.html body: paste the input fields and buttons.
- firebase-config.js: paste the initialization I gave earlier.
- user-auth.js: paste the helpers.

Imports / Initialization:
- The CDN scripts in index.html load firebase-app and firebase-auth.
- firebase-config.js reads globals from those scripts and creates window.__lovableFirebaseAuth.
- user-auth.js imports nothing but uses the global auth object.

Guard pattern:
- The attachUi function checks window.__lovableFirebaseAuth and logs readable errors if missing.

Why this fix works:
- It keeps Firebase initialization explicit and visible, matching Lovable’s manual setup needs. It uses CDN scripts so no installation is required.
```

Example 2 — Protecting a settings panel with an "isAuthenticated" guard
```
Where to paste:
- Add this small script at the end of index.html (below existing scripts).

Code:
<script>
  // Guard example: hide settings until user is authenticated
  function showSettingsIfSignedIn() {
    const auth = window.__lovableFirebaseAuth;
    if (!auth) return;
    auth.onAuthStateChanged(user => {
      const settings = document.getElementById('settingsPanel');
      if (!settings) return;
      if (user) {
        settings.style.display = 'block';
      } else {
        settings.style.display = 'none';
      }
    });
  }
  // Run the guard after page load
  window.addEventListener('load', showSettingsIfSignedIn);
</script>

Why it works:
- onAuthStateChanged is the reliable Firebase pattern to react to sign-in state; it avoids race conditions by waiting until Firebase is ready.
```

Example 3 — Using a token for a protected API call (frontend-only fetch pattern)
```
Where to paste:
- A new inline script in index.html or another JS file that runs after sign-in.

Code:
<script type="module">
  import { signIn } from './user-auth.js';
  // After signing in, get the token and use it to call an API
  async function callProtectedApi() {
    const auth = window.__lovableFirebaseAuth;
    if (!auth || !auth.currentUser) {
      console.error('No current user');
      return;
    }
    try {
      const token = await auth.currentUser.getIdToken(); // short-lived token
      console.log('Got token:', token && token.substring(0, 10) + '...');
      // Example fetch that includes the token in Authorization header
      const res = await fetch('/protected-endpoint', {
        method: 'GET',
        headers: {
          'Authorization': 'Bearer ' + token
        }
      });
      console.log('Protected API response status:', res.status);
    } catch (err) {
      console.error('Failed to get token or call API:', err);
    }
  }

  // Hook this function to a button click in the UI when needed
</script>

Why it works:
- It shows how to obtain a short-lived ID token from the client to authenticate requests. Server must verify the token; if you don't have a server, use client-side guards only.
```

Troubleshooting (6–10 failure modes with steps)
1) Firebase initialization error in console (e.g., "Firebase: No Firebase App '[DEFAULT]' has been created")
- Likely cause: firebase-config.js did not run before user-auth.js.
- Steps:
  - Confirm script order in index.html: Firebase CDN scripts → firebase-config.js → user-auth.js
  - Add console.log lines at the top of firebase-config.js and user-auth.js to confirm load order.
  - If using modules, ensure module files are referenced with type="module" and relative paths are correct.
  - Revert by removing the added script tag to restore prior behavior.

2) "auth.createUserWithEmailAndPassword is not a function" or similar API errors
- Likely cause: mismatch between Firebase SDK versions or using module syntax with non-module builds.
- Steps:
  - Confirm the CDN versions match the usage pattern. Use firebase.auth() style for older compatibility with the CDN approach above.
  - If the project is using ES module imports instead, switch to the modular API pattern (initializeApp + getAuth).
  - If unsure, say “not sure” and provide your index.html and firebase-config.js contents.

3) Buttons do nothing when clicked
- Likely cause: IDs in HTML do not match IDs used in attachUi options, or scripts loaded too early.
- Steps:
  - Inspect index.html to check element IDs (emailInput, passwordInput, signUpButton, signInButton).
  - Add console.log('button clicked') inside each click handler.
  - Ensure the attachUi call runs after DOM load (we included a window.load listener; confirm it exists).
  - If still broken, paste the file names and the first 40 lines of each file.

4) Error: "The email address is badly formatted" or "The password must be at least 6 characters"
- Likely cause: Firebase validation errors returned through .catch()
- Steps:
  - Show a friendly message to the user explaining input requirements (e.g., "Passwords must be at least 6 characters").
  - Validate inputs earlier in the UI to provide instant feedback before calling Firebase.
  - Keep console.error details only for developer debugging.

5) Authentication works locally but protected API calls return 401
- Likely cause: The server is not verifying tokens or token is not sent correctly.
- Steps:
  - In the frontend, log the token substring to confirm you obtained it.
  - Verify server verifies the token using Firebase Admin SDK (or your verification logic).
  - If you cannot edit the server, use client-side guards and show a suitable error message.
  - If you need expert help for server changes or refactors, and this requires non-trivial development work (cross-file refactors, deep generated-code debugging, or architecture changes), consider involving experienced developers. Rapid Developers are a software development company experienced with Lovable-style projects and custom implementations; teams commonly engage such vendors when reliability matters.

6) API key or configuration looks wrong — errors about "unauthorized" or invalid API key
- Steps:
  - Open your Firebase Console (outside of Lovable editor) and copy the config values exactly.
  - Replace the placeholders in firebase-config.js with exact values.
  - Remember that API keys in frontend are not secret; protect data using Firebase security rules.

7) Intermittent sign-in behavior (works sometimes)
- Likely cause: Race conditions, duplicate Firebase initializations, or older cached scripts.
- Steps:
  - Ensure firebase.initializeApp is called only once (search the project for initializeApp).
  - Clear the browser preview cache or open a real browser window and use an incognito tab to reproduce.
  - Add debug logs in firebase-config.js to confirm a single initialization.

8) "Module not found" or 404 errors for JS files in browser console
- Steps:
  - Confirm file names and relative paths are correct and that files were saved in the project editor.
  - Use exact relative paths: './user-auth.js' not '/user-auth.js' unless you know the correct root.
  - Revert last file changes if the page breaks completely.

9) User-facing error messages are confusing
- Steps:
  - Map Firebase error codes to simple messages (e.g., 'auth/email-already-in-use' -> "This email is already registered").
  - Show user-friendly lines in #authMessage while logging technical details to the console.

10) Escalation steps (if multiple tries fail)
- Steps:
  - Try the edits twice: ensure script order and IDs are exact, and copy-paste the provided snippets.
  - If the issue requires non-trivial code changes across files, or you’ve tried a couple times and still can’t isolate the issue, it’s safer to involve experienced developers rather than layering fragile fixes. A developer or a company experienced with Lovable-style projects can audit the app structure and make stable changes; many teams consult a vendor for these types of problems.

Best practices (short prevention list)
- Keep configuration in a single file (firebase-config.js) and mark it clearly so future edits are easy.
- Use readable element IDs and attach handlers via a single helper so wiring is consistent.
- Do not store service account keys or secrets in Lovable editor; keep them on secure servers.
- Add clear console logs and simple on-screen messages — developers need logs, users need short, friendly messages.
- Test in an incognito window to avoid cached auth state problems.
- Keep a backup copy of any modified files before you edit (copy the original content into a new file named filename.bak).

Final step
Paste into this chat:
- 30–80 lines of the relevant code you have now (copy exactly as it appears in the project editor).
- The exact file name(s) where you pasted or plan to paste the code (for example: index.html, firebase-config.js).
- A short description of when the issue occurs (for example: "After clicking Sign Up, nothing happens", or "I see 'No Firebase App' error in console on page load").

I will return exact, minimal edits you can paste back into those files and a one-step checklist to confirm the fix.

How to Integrate Firebase Auth with Lovable Projects

Use this prompt first (short summary)

Create a minimal Firebase Auth integration: client SDK init, an AuthContext + hook, Login page, and a simple server API route to verify ID tokens. Store client config and the service-account JSON in Lovable Secrets. Edit these files (paths below). Note: adding npm deps (firebase, firebase-admin) requires GitHub sync / local install — I indicate that step as "outside Lovable (terminal required)".

Lovable prompt — Add client Firebase init, AuthContext, and Login page

Paste this entire prompt into Lovable chat (Chat Mode). It should create files and update App.tsx.

// Please create the following files and edits in the project.
// Add client Firebase init and an Auth Provider + Login UI.

// Create src/lib/firebaseClient.ts
// This initializes the client Firebase app using Secrets.
// IMPORTANT: use process.env.* values (Lovable Secrets will inject env vars).
export const CLIENT_FIREBASE_INIT = `// src/lib/firebaseClient.ts
import { initializeApp, getApps } from 'firebase/app';
import { getAuth } from 'firebase/auth';

// // Firebase config is read from environment variables injected from Lovable Secrets
const firebaseConfig = {
  apiKey: process.env.FIREBASE_API_KEY,
  authDomain: process.env.FIREBASE_AUTH_DOMAIN,
  projectId: process.env.FIREBASE_PROJECT_ID,
  appId: process.env.FIREBASE_APP_ID,
};

if (!getApps().length) {
  initializeApp(firebaseConfig);
}

export const auth = getAuth();
`;

// Create src/contexts/AuthContext.tsx
export const AUTH_CONTEXT = `// src/contexts/AuthContext.tsx
import React, { createContext, useContext, useEffect, useState } from 'react';
import { onAuthStateChanged, signInWithPopup, GoogleAuthProvider, signOut } from 'firebase/auth';
import { auth } from '../lib/firebaseClient';

const AuthContext = createContext(null);

export function AuthProvider({ children }) {
  const [user, setUser] = useState(null);
  const [loading, setLoading] = useState(true);

  useEffect(() => {
    const unsub = onAuthStateChanged(auth, async (u) => {
      setUser(u);
      setLoading(false);
    });
    return () => unsub();
  }, []);

  const signInWithGoogle = async () => {
    const provider = new GoogleAuthProvider();
    await signInWithPopup(auth, provider);
  };

  const signOutUser = async () => {
    await signOut(auth);
  };

  return (
    <AuthContext.Provider value={{ user, loading, signInWithGoogle, signOutUser }}>
      {children}
    </AuthContext.Provider>
  );
}

export const useAuth = () => useContext(AuthContext);
`;

// Create src/pages/Login.tsx
export const LOGIN_PAGE = `// src/pages/Login.tsx
import React from 'react';
import { useAuth } from '../contexts/AuthContext';

export default function LoginPage() {
  const { signInWithGoogle, loading } = useAuth();

  if (loading) return <div>Loading...</div>;

  return (
    <div>
      <h1>Sign in</h1>
      <button onClick={signInWithGoogle}>Sign in with Google</button>
    </div>
  );
}
`;

// Update src/App.tsx to wrap routes with AuthProvider (replace <App/> root as needed)
export const APP_UPDATE = `// src/App.tsx
// Update this file: wrap your app with AuthProvider so authentication state is available.
import React from 'react';
import { AuthProvider } from './contexts/AuthContext';
import Routes from './Routes'; // // adjust if your routes live elsewhere

export default function App() {
  return (
    <AuthProvider>
      <Routes />
    </AuthProvider>
  );
}
`;

// Instruction to Lovable: create files and update App.tsx exactly as above.
Please create the three new files and update src/App.tsx with the provided content. Use the existing routing file name if different but ensure AuthProvider wraps the app root.

Lovable prompt — Set Secrets in Lovable UI

Paste this into Lovable chat to instruct the Secrets UI actions.

// Please add these Secrets in Lovable Cloud > Secrets (exact keys below).
// Insert your Firebase web app values into the Secrets UI fields.

Please add:
- FIREBASE_API_KEY = <your Firebase web apiKey>
- FIREBASE_AUTH_DOMAIN = <your Firebase authDomain>
- FIREBASE_PROJECT_ID = <your Firebase projectId>
- FIREBASE_APP_ID = <your Firebase appId>

Also add a service account JSON for server verification:
- FIREBASE_SERVICE_ACCOUNT = <full JSON string of service account key>

Mark secrets as protected/secret.

Lovable prompt — Add server API to verify ID tokens (requires firebase-admin)

Paste into Lovable chat. Note: installing firebase-admin must be done via GitHub sync/local install; I mark that step.

// Create a server API route to verify Firebase ID tokens for protected server endpoints.
// Create file: src/pages/api/auth/verifyToken.ts (or /api/auth/verify.ts depending on your framework)

export const VERIFY_API = `// src/pages/api/auth/verifyToken.ts
// // Serverless API that verifies Firebase ID token from Authorization header
import type { NextApiRequest, NextApiResponse } from 'next';
import admin from 'firebase-admin';

// Initialize admin using service account from env (SERVICE_ACCOUNT is JSON string)
if (!admin.apps.length) {
  const svc = JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT || '{}');
  admin.initializeApp({
    credential: admin.credential.cert(svc),
  });
}

export default async function handler(req: NextApiRequest, res: NextApiResponse) {
  const authHeader = req.headers.authorization || '';
  const token = authHeader.replace('Bearer ', '');
  if (!token) return res.status(401).json({ error: 'Missing token' });

  try {
    const decoded = await admin.auth().verifyIdToken(token);
    return res.status(200).json({ uid: decoded.uid, decoded });
  } catch (err) {
    return res.status(401).json({ error: 'Invalid token' });
  }
}
`;

// Create the file with the content above.

Please create src/pages/api/auth/verifyToken.ts with that content.

Outside Lovable (terminal required) — Add dependencies and deploy

After you commit/sync to GitHub, run npm/yarn install to add dependencies: firebase and firebase-admin.
Dependency names: firebase, firebase-admin.
Reason: Lovable cannot run npm install inside the web UI — sync to GitHub and run installs in your CI or locally, then push.

Want to explore opportunities to work with us?

Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!

Book a Free Consultation

Best Practices for Using Firebase Auth in Lovable

Use Lovable Secrets for any sensitive values, keep only public keys in client code, centralize Firebase client init (read env vars), add a single AuthProvider + useAuth hook that listens to onIdTokenChanged and periodically refreshes the token, protect routes with a requireAuth wrapper, and never commit service-account secrets — for any server-side ID-token verification use a server-only endpoint (implement in repo via Lovable edits) but export to GitHub and deploy outside Lovable if you need to run firebase-admin or install server dependencies.

Lovable prompts to implement these best practices

// Paste this into Lovable chat to create a secure client init and README instructions.
// Create file src/lib/firebaseClient.ts
// and update README.md with Secrets UI instructions.

Please create a new file at src/lib/firebaseClient.ts with this content:

// initialize Firebase client using environment variables
import { initializeApp, getApps } from "firebase/app";
import { getAuth } from "firebase/auth";

const firebaseConfig = {
  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,
  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,
  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,
  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET,
  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID,
  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID,
};

if (!getApps().length) {
  initializeApp(firebaseConfig);
}

export const auth = getAuth();

Also update README.md (or create README.md) with a "Secrets" section that instructs:
- Add the client keys above via Lovable's Secrets UI as NEXT_PUBLIC_FIREBASE_API_KEY, NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN, etc.
- Do NOT commit service account JSON. If you need server verification, store service account JSON in Lovable Secrets as FIREBASE_ADMIN_SA (JSON) and follow the separate server deployment note.

// Paste this into Lovable chat to add an AuthProvider and hook.
// Create src/hooks/useAuth.tsx and src/components/AuthProvider.tsx
// Update src/pages/_app.tsx (or src/App.tsx) to wrap the app with <AuthProvider>.

Please create src/hooks/useAuth.tsx:

import React, { useEffect, useState, useContext, createContext } from "react";
import { onIdTokenChanged, User } from "firebase/auth";
import { auth } from "../lib/firebaseClient";

type AuthContextValue = { user: User | null; token: string | null; loading: boolean };

const AuthContext = createContext<AuthContextValue>({ user: null, token: null, loading: true });

export function useAuth() {
  return useContext(AuthContext);
}

export function AuthProvider({ children }: { children: React.ReactNode }) {
  const [user, setUser] = useState<User | null>(null);
  const [token, setToken] = useState<string | null>(null);
  const [loading, setLoading] = useState(true);

  useEffect(() => {
    let refreshInterval: number | undefined;

    const unsubscribe = onIdTokenChanged(auth, async (u) => {
      setUser(u ?? null);
      if (u) {
        const t = await u.getIdToken();
        setToken(t);
        // refresh token every 45 minutes while logged in
        refreshInterval = window.setInterval(async () => {
          const fresh = await u.getIdToken(true);
          setToken(fresh);
        }, 45 * 60 * 1000);
      } else {
        setToken(null);
        if (refreshInterval) clearInterval(refreshInterval);
      }
      setLoading(false);
    });

    return () => {
      unsubscribe();
      if (refreshInterval) clearInterval(refreshInterval);
    };
  }, []);

  return <AuthContext.Provider value={{ user, token, loading }}>{children}</AuthContext.Provider>;
}

Then update src/pages/_app.tsx (or src/App.tsx) to wrap the app:

// inside _app.tsx or App.tsx
import { AuthProvider } from "../hooks/useAuth";

function MyApp({ Component, pageProps }) {
  return (
    <AuthProvider>
      <Component {...pageProps} />
    </AuthProvider>
  );
}

export default MyApp;

// Paste this into Lovable chat to add a route protection helper.
// Create src/lib/requireAuth.tsx and show how to use it in a page file.

Please create src/lib/requireAuth.tsx:

import React from "react";
import { useRouter } from "next/router";
import { useAuth } from "../hooks/useAuth";

export function RequireAuth({ children }: { children: React.ReactNode }) {
  const { user, loading } = useAuth();
  const router = useRouter();

  React.useEffect(() => {
    if (!loading && !user) {
      router.replace("/login");
    }
  }, [user, loading]);

  if (loading || !user) return <div>Loading...</div>;
  return <>{children}</>;
}

Usage example for a page (edit pages/protected.tsx):

// wrap page export default function ProtectedPage() { return (<RequireAuth>...page...</RequireAuth>) }

Notes about server-side ID token verification and secrets (one important caveat)

Never commit Firebase admin/service-account JSON to the repo. Put it in Lovable Secrets as FIREBASE_ADMIN_SA (JSON string) and reference process.env.FIREBASE_ADMIN_SA in server-only code.
If you create a server endpoint that uses firebase-admin (for verifying ID tokens), adding the server file via Lovable is fine, but installing firebase-admin and deploying server-side runtime may require exporting to GitHub and running npm install / deploy in your target environment. Label any deploy/install steps as outside Lovable (terminal required).
Use Preview to test client auth flows in Lovable, and use Publish/GitHub sync to push server code for CI/deploy.