I am looking to create a REST API gateway which connects to my DynamoDB database but only outputs data for the user specific to the API Key that is connected.
I can't seem to find any information on how to restrict the DynamoDB calls based on the API/user connected.
I would assume I need to create another table/section that manages which data (IDs) are allowed to be viewed per API key.
So essentially what I want is:
User sends a GET to the REST API to retrieve all the entries from the DynamoDB database related to their devices ID.
DEVICE ID: 44DDTTRR
This then outputs the data only for that device ID.
The issue is that I am not sure where is the best place to check if that API user has access to that device ID, as I don't want people to just access all the devices, just the ones that are attached to their API key.
API Gateway
If you are using Cognito User Pools, you can use the context object in VTL to construct your DynamoDB query. If you set the partition key to the user's email or sub claim from Cognito and the sort key to the device ID, then if a user submits a device ID which they do not own, the DynamoDB query result will return with zero results.
If you are not using Cognito, you can achieve the same effect using an API Gateway authoriser Lambda.
Related
in the app, which logs the user in only through phone authentication.
now the question is can I get the user id from his phone number(not the user id of the current user though).
I have the access to other users phone number in the app, and I want to get their id for further use.
is it possible in flutter with firebase at the backend?
Looking up the UID for a user based on either phone number or email address is considered a sensitive operation. For this reason such operations are only available in the Admin SDKs, which are designed to be used in trusted environments, such as your development machine, a server you control, or Cloud Functions. For more on these, see the bottom two code samples in looking up user data in the documentation.
If you want to perform such operations from your client-side code, your two main options are:
Store the required mapping in a cloud-hosted database, such Firebase's Realtime Database or Firestore, as Huthaifa also answered.
Create your own custom API on a server or Cloud Functions where you lookup the user through the Admin SDK. Your client-side application code can then call this custom API.
In both of these cases you are in full control of what data you share, and how you secure access.
Sure you can, there are multiple approaches for this, if you post your structure for the user model, or how you are storing them in firebase.
You can run a simple Firebase query like this example:
FirebaseFirestore.instance.collection('users').where('phoneNumber', isEqualTo: thePhonenumberOftheuserYouwant2GetUIDfor).get()
You can also store the available\accessible contacts for every user in their user document, and when your user logs in, it'll fetch all their allowed user numbers.
The more information you provide to your problem, the more StackOverflow can provide you back.
In Firebase Realtime Database I want to set limit for number of data read request per user or per IP.
Similar like Firebase Authentication Limits(e.g New account creation 100 accounts/IP address/hour)
Is there any way to achieve this in Firebase Realtime Database ?
The only way to implement this would be to force client apps through a backend API that you control. That API will have to record the amount of data read per IP, and reject requests that exceed your limits.
Otherwise, there is no way to impose limits as you describe. It's not a matter of simple configuration.
My project is creating a website using firebase, but it is using the internal authen micro service instead of Firebase authen.
Every time the user logs in, the internal authen service will generate a token (I call it client_id), and send it to the client.
This token is also stored in the user collection.
Please help me how to write rule for the user via this client_id.
If it is write role, I can send the client_id via mothod update, delete, create and get it out by
request.resource.data.cliend_id and check it.
But if it is read role, I don't have any way to send to the client_id via the get method to authenticate users
I even thought of replacing all the get methods with the update methods to pass the client_id
But the response of the update method is just the update_time, not the object I updated
Firebase RTDB & Firestore Rules uses their own auth only. In every request that firebase client library sends uid along with jwt token and other security parameters. These are fundamental to firebase's working and thus can't be replaced.
As Aleksey mentioned, you can try custom auth. It is specifically tailored for such use cases only.
There is no way to provide extra data to security rules for the purpose of limiting read operations. That would not be secure at all, because a client could simply fake whatever they want in the query.
You can only use information provided by Firebase Auth available in request.auth, the data in the document itself in resource.data, or the contents of other documents using get(). If you want to attach additional data to the user account, consider using custom claims.
Azure CosmosDB - MongoDB provides keys for Read-Write and Read Only at account level.
CosmosDB SDK and API are there through which users can be created and access can be define at database and document level.
• But What I need to do is to create a pair of username and password with restricted access to a MongoDB database similar to one provided by installable MongoDB.
• How a user can connect only CosmosDB MongoDB database using RoboMongo.
Highly appreciate any help.
Amit -
Today, Cosmos DB access are provided by using two keys, Master Key and Read Only key. However, if you want to restrict user access per collection, per document etc, you have to use Resource Tokens. You can read more about it here and please take a look at CH9 video to see the implementation details. Resource Token service can be implemented as an Azure Function. Here is code to get you started.
But if you are using RoboMongo you have to Use the keys as define in this document. At this time you cannot define different users and Keys for a Database.
I'm trying to use firebase cloud messaging service for my android application and I'm trying to find the best way to manage registration ID in database server.
I was thinking to create new table with userID,registrationId (where userID is unique for each user) in my database and insert new record once the user logs in successfully and remove that record when the user logs out. but there are some situation that the registration Id will be refreshed, I can get the new registration Id to save it in the database. but how can I get the old registration Id to remove it?
Are there better way to manage the registration Id in database?
note: a device can access one account but there are might be many devices that use the same account.
Depending on the user, you might want to also have an identifier for each device they use. But for a simpler explanation, I'll go with the scenario where each user only has a single device.
If you're using Firebase Database, then the simplest way to structure the nodes would be something like this:
pushTokens/
$userId: <registration_token_here>
Simple as that. You just pair the userId that you use in your app (possibly for authentication) and place the token there. On sign out, log the user out. When the user is currently signed-in and the token refreshes, handle it in onTokenRefresh(), send the new token to the DB, and replace the older one. Deciding to keep the old one for logging purposes is your call.
Possibly helpful posts:
Firebase Cloud Messaging - Managing Registration Tokens
Managing FCM device groups