I am creating an app for a client working in advertising for artists.
This app consists in a dashboard supposed to display several informations plus the artist's name.
I'm using Firebase to provide my client a simple interface to add the artists accounts to a database, but I would like him to set their name, ideally without implementing a back-office.
Is there any way to add a displayName to a Firebase Auth User without code, hence directly with the website interface ?
No, there isn't way to change user's displayName in Firebase Auth object and only the user can change their name using the client SDK. You would have to use Admin SDK using Cloud functions or a server to do that.
You can however update the name in database and make sure the user trying to update the name is authorized by using Custom Claims or storing their UID in database and checking that in security rules.
One hack would be to check if user's name in database matches the name in Firebase Auth object. If not, run a function which will update it.
Related
I have a Next.js frontend and an Express backend. The auth is handled by Firebase. Users are allowed to sign up with email/password or through Google.
I need to make sure that users also exist in my database, not just in Firebase, as I need a way to link the user to all other entities that exist only in my database.
Achieving this for email/password is rather simple, I just need an endpoint on my backend that creates both together, the firebase user through the admin sdk and a user in my database.
Handling this for the Google sign up is more problematic as I need to first create the user on the frontend. After calling signInWithPopup, I could call my backend with the uid of the newly created user and add it there, but what if my backend's down?
An option would be to have a middleware on the backend that creates the user if it doesn't already exist, but then I have to do this check on every request.
Thoughts on how to best handle this?
I am trying to determine if the following scenario is possible with flutter and firebase:
we have users within the company who will be given access to the app, where on the homepage will be a signup another user button where they enter in that user's email and password, they get signed up, and then the original user specifies custom fields for the 2nd user, such as company name, role, position, etc.
Is this possible with flutter and firebase?
Have asked the flutter google group and was told about custom authentications, but from what I see that is just an external authentication system and doesn't show me how to let one user create another users profile with fields.
Any ideas?
The first thing to consider is whether those properties need to be in the user profile at all. The user profile is sent with every request, and should only contain information that is relevant for securing access. If you have additional information to store about the user, you should store it elsewhere (such as in one of Firebase's databases) using the UID of each user as its key.
Assuming that the information is about security (such as the role seems to be, there is no secure way to let one user set security properties (typically referred to as claims) from client-side code. As soon as this is allowed from client-side code, anyone could set such properties for anyone else. That's why setting custom claims for a user is only possible with Firebase's Admin SDKs, which are designed to run in a trusted environment - such as your development machine, a server you control, or Cloud Functions.
There are a few other options, but it's important to realize they're all implemented on top of the above approach.
There is an experimental extension that allows you to set auth claims by writing a document into Firestore, which something like this (JavaScript syntax, but the Flutter code will be similar):
db.collection("user_claims")
.doc("abc123")
.set({
role: "admin",
groups: ["example1", "example2"],
});
Now of course you'll want to make sure that you secure writing to the user_claims collection, as otherwise you'll end up with the same security risk I mentioned in the first paragraph, where everyone can claim any role they want.
Alternatively you can write your own server-side API (for example on Cloud Functions) that you expose to your application, and that then calls the Admin SDK. Here too, it is important to secure access to this API, to ensure only authorized users can call it.
Recently i build a app using Firebase, But after i got Some users through advertisement, Someone just hacked Firebase database and Updated all user datas like .
Username
Profile pic path
They set it to a bad word and bad pic.
So then i Also Checked the Firebase rules and redefined them..
Like
Only Authenticated users can read/write.
But problem is.
The hacker is still updated the Value on firebase db.
and i want to know what i am missing.
Is it possible to update a Firebase db without the whole secure key and things..
using a browser may be?
User data of a single user ...
email : "https://m.me.developer.scg"
lastseen : "1617987743"
pic : "https://www.dropbox.com/s/03a50cx4adxqepk/(url cannot be posted publically it contains nude images)"
privacy : "PU"
state : "offline"
status : "Lets watch some movies"
type : "FREE USER"
username : "FU*KED BY DreamPLAY"
Here the hacker updated the 3 fields.
email :
pic:
username:
You have to know that as soon as (1) someone has the apiKey of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the apiKey is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
Consequently, rules only based on auth != null allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
I will answer as parts :
Reason of Problem :
The Hacker found your API then created project and added your API to it then he
created authenticated user then he updated the fields , So this the reason of
problem
Solution :
First : is to create unique Fields (e.g Email to 1234567890Email as
Example but more secure)
Second : is to connect to Google Cloud Platform then setup Google Cloud Platform HTTP with your Domain (As Firebase will only accept data from your Domain ONLY)
Third : Is to create more secure rules as to denied access to Entire Database but just
give access to some collections or even documents So it will be more
secure
I just covered the most famous actions (You can see more but by google your problem)
& Wish I helped you :)
I just thought of a way to secure Firebase credentials so thought of a way to use a custom cloud functions authentication function (URL based function) to accept user credentials like username and password via URL encoded parameters. This method will only use database(firestore would be preferable). The function will only have to create custom tokens and send it to the user while keeping the user's temporary data like IP addresses etc. So request to write or read to the database will only be granted to this function.
You CAN prevent all those non authencated activities right from your firebase console.
GO to your firebase console, Open your project's android app.
Add SHA fingerprints of your app's SHA signing certificate fingerprints.
That's my question. I am using Hasura, and defining 'user' permissions.
Users are of course allowed to modify their own information, and not allowed to insert new records into my users table.
But when they signup, they should be allowed to insert themselves. So how can I define this permission?
To make my scenario more clear:
I have a React app, that uses an external OpenID provider. So a new user signs up there, and the provider returns a JWT to my app, containing a user I've never seen before.
My app does not know that, it just uses the access token to send to the Hasura backend to retrieve further info about this user, using the 'user' role. But it uses a query which will automatically insert the user if not found.
There's really not a safe way to allow sign-ups without involving a backend service. It is a very bad idea to allow anonymous inserts into your user table, even if you added a unique constraint against a user ID or email address.
If you have the option of using NextJS, see the Hasura example for configuring NextAuth. This works by configuring your app with a protected API route that uses your Hasura app's ADMIN_SECRET to insert new users who have authenticated with a third-party.
If NextJS isn't an option, Hasura's Auth0 example similarly uses a callback method to insert an authenticated user if they don't exist.
In the user table, for the user role, you need to add a permission with custom check. And the check should be user_id equals x-hasura-user-id.
{"id":{"_eq":"x-hasura-user-id"}}
For non-logged-in users, leverage the anonymous role by setting the permissions that make sense for your use case: https://hasura.io/docs/1.0/graphql/manual/auth/authorization/common-roles-auth-examples.html#anonymous-not-logged-in-users
Edit after the comment:
Ah, I see. When the user comes to your app, your app goes and retrieves some data that it expects every user should have (for example perhaps the user info store on the user table). But since it's a new user, this info is not there.
At this point, your React app knows that:
there's someone with a legitimately signed JWT cookie (use a library to verify the signature) and
there's no user info from the backend. Therefore, the React app shows
a "Welcome new user, wait while we're setting up your account".
Then
the React app makes a mutation to a signup Hasura action you'll
prepare. Once that returns, you proceed as usually (redirect the user to their home page).
use hasura action handler instead. Inside your handler, do a check if the user already exists or not. If not then insert a new row.
If I create a new product, use simple auth, there is a "create user" API. How do I restrict it so that only invited emails (either by the email or via a one-time key) can sign up? Doesn't seem to fit easily into the rules, but I am probably missing something.
First, I should point out that the core Firebase API uses JSON Web Tokens for auth, which you can generate yourself, so you have full control over the creation of user accounts and can restrict it however you like:
https://www.firebase.com/docs/security/custom-login.html
I'm guessing you're referring to our Simple Login service.
Simple Login is a service that provides some common login options. It has no way to restrict creation of new accounts. However, you can restrict what those accounts can do with Firebase. For example, you could set your security rules up so that only user accounts in some authorized list (in Firebase) are actually able to read or write data.