type: decision
status: active
timestamp: 2026-06-22
tags: [decision, data-hub, auth, firebase, phone-sms, central-auth]

data.oriz.in aggregator app + centralized auth.oriz.in + Phone-Auth Pro-tier-only

oriz-data-aggregator-app + central auth hub \ at `data.oriz.in` renders ECharts dashboards + JSON browser for all 14+ API repos\ \ (separate from per-API GH Pages). (2) `auth.oriz.in` is the central Firebase Auth\ \ domain; all apps redirect there for sign-in; redirect back after success. (3)\ \ Firebase Phone Auth is enabled but UI-gated to Pro tier (Phone SMS costs $0.05/SMS\ \ ~ \u20B94/SMS \u2014 not free; rate-limit free users to 0/day, Pro to 5/day, Max\ \ unlimited). (4) Authentication ONLY in apps, never APIs (APIs serve pure JSON,\ \ no auth)."

Data hub + central auth + Phone gating

data.oriz.in aggregator

NEW app oriz-data-aggregator-app at c:/D/oriz/repos/oriz/own/prod/apps/content/oriz-data-aggregator-app/. Hosted on Cloudflare Pages (one-level subdomain — Universal SSL works).

Scope

Tech

auth.oriz.in central auth

auth.oriz.in is the central Firebase Auth domain. ALL apps redirect here for sign-in:

Flow

  1. User clicks “Sign in” on any app (e.g. paisa.oriz.in)
  2. Browser redirects to auth.oriz.in/sign-in?return=https://paisa.oriz.in/account
  3. auth.oriz.in shows the unified sign-in UI (Google + GitHub + Email-link [+ Phone for Pro tier])
  4. User picks provider, signs in, Firebase issues token
  5. auth.oriz.in redirects back to return URL with Firebase ID token in URL fragment
  6. Originating app captures token + sets Firebase Auth state locally
  7. Cross-app SSO works via Firebase’s signInWithCustomToken + cookie at .oriz.in

Why centralize

Implementation

@chirag127/auth-core package gains a <SignInButton /> component that always redirects to https://auth.oriz.in/sign-in?return=<current-url>. The oriz-auth-app (NEW; at repos/oriz/own/prod/apps/hub/oriz-auth-app/) hosts the sign-in UI itself, mounted at auth.oriz.in.

Phone Auth gating

Firebase Phone Auth is technically enabled in the Console (per user request: Google + GitHub + Email + Phone all on). BUT:

Tier-gated UI

TierPhone Auth visible?SMS quota
FreeNO0/day
ProYES5/day
MaxYESUnlimited

Implementation: oriz-auth-app’s sign-in UI conditionally renders the Phone provider button based on the requesting app’s user tier (determined from Firestore on first auth attempt OR not shown if anonymous).

OR simpler: Phone is shown ONLY when user has an existing Pro/Max subscription that they’re logging back into (the auth flow loads subscription state before deciding which providers to render).

Authentication scope

ONLY in apps. NEVER in APIs.

This avoids:

Cross-refs


Edit on GitHub · Back to index