How to set different custom claims based on where user signs up? - firebase

I have 2 sign up pages, one for students and one for teachers.
How can I set a different custom claim for each when they sign up? (student: true OR teacher:true)
I am guessing it could be possible at .onCreate? I can set just one custom claim per onCreate function, how to make this dynamic?
exports.AddTeacherRole = functions.auth.user().onCreate(async (authUser) => {
if (authUser.email) {
const customClaims = {
teacher: true,
};

The authUser Object passed to Authentication Cloud Functions is exactly the same type of Object than the UserRecord that is returned by the Firebase Admin SDK.
Depending on how you created the user (e.g. from the front-end, with createUserWithEmailAndPassword() in JavaScript or e.g. from the Admin SDK, with createUser()) the UserRecord may hold more or less "extra" properties (e.g. displayName, photoURL, etc).
The problem is that there is no specific property of this UserRecord instance that you could use to indicate the role of the user (student or teacher). Therefore you cannot get this information in your Cloud Function, which is triggered when the user is created.
A common approach is to add this kind of extra data to a Firestore document (or a Realtime Database node) which has the same id than the user Id. Then from this document, you could trigger a Cloud Function that updates the user record.
Another approach is to use a Cloud Function that does all the job: create the user, set the custom claim and create a Firestore document. You will find in the following article some detailed explanations about this kind of approach.
To answer the question you asked in the deleted answer:
Just to verify, it could be solved by creating 2 separate https
callable cloud functions that handle the sign up for each role for
example?
Yes you could have two callable Cloud Functions, but I think it should be possible to just have one and pass different parameter values when calling this Cloud Function, depending on the user role.
Something like:
const setCustomClaim = firebase.functions().httpsCallable('setCustomClaim');
const userRole = "student" // or role = "teacher"
setCustomClaim({role: userRole, userId, bar: "foo" }).then(function(result) {
// Read result of the Cloud Function.
// ...
});

Related

Firestore prevent malicious user to add more data than wanted

I'm using Angular for my frontend and Cloud functions + Firestore for my backend.
When I set data in Firestore, I want to limit the users to a certain model of data. For example let's say that my "model" is:
interface Person {
name: string
age: number
}
Nothing prevents a malicious user to send an object like the following:
{
name: 'Anna',
age: 22,
unWantedData: 'Some unwanted data'
}
What is the best way to prevent that ?
I've seen the Firestore converters but is it really the way to go ?
I also have another related question. I'm quite familiar working with SQL and ORM's using Entities, for example with TypeORM:
#Entity()
export class Post {
#PrimaryGeneratedColumn()
id: number
#Column()
#Length(10, 20)
title: string
#Column()
#IsInt()
#Min(0)
#Max(10)
rating: number
#Column()
#IsEmail()
email: string
#Column()
#IsDate()
createDate: Date
}
Is there a way to have validators like that with Firestore ? Maybe using rules ?
You have the answer in the last line of your question: you can indeed use Firebase's server-side security rules to validate the data.
The security rules only apply to access from the client-side SDKs, not from connections over the Admin SDK (such as those from Cloud Functions that you mention). If writes happen through such a trusted environment, you will have to validate the data in your application code before passing it to Firebase.

How to get user email using firebase analytics event parameter?

I'm making app using firebase on back-end part. User can log in myApp using google account and can backup their data.
I want to delete some doc at cloud when user uninstall myApp.
collection ID is user email.
So I need to know user email but I don't know how to get this.
exports.appUninstall = functions.analytics.event("app_remove").onLog((event)=>{
const userEmail = event.user.email;
database.doc(userEmail + "/user_logged_in").delete();
return console.log("Deleted user_logged_in because user uninstalled app");
});
I don't think this is possible with the structure you currently have. As you can see here, the onLog() returns a AnalyticsEvent object that has a UserDimensions object inside of it, however, that object stores the userId and an object with the userProperties.
I can' t say for sure that this userProperties will store the email of your user so you can fetch in firestore, so you need to test this. If not, you will have to find a way get the user document with it's userId, maybe by adding it to the document itself on creation.
This would be easier if you changed the documentId to be the userId instead of the email, if you do that you can simply use the mentioned userId of the event to get the document and delete it.

Save data into the Firebase user object

Using this :
firebase.auth().onAuthStateChanged(function(user){
if (user){
Firebase is returning the user, which includes a userID.
When a webpage get this object it takes the user ID, and need to access again the DB records to check some very basic stuff ( if it's a paid user, or another simple key) in order to choose the UI.
Is there away to return in this callback the user including some predefined basic info about him?
If you want to add some extra info to a user account you cannot use the User object, which has a fixed list of properties.
There are two classical approaches:
1. Create a specific User record
You create a Firestore document (or a Realtime Database node) for each user. Usually you use the User's uid as the id of the Firestore Document/RTDB node.
This means that you will need to fetch the database to get this extra user info, e.g.
firebase.auth().onAuthStateChanged(function(user){
if (user) {
firebase.firestore().collection('users').doc(user.uid).get()
.then(...)
}
//...
}
2. Use Custom Claims
If you need to store only a limited number of extra information in order to provide access control, you could use Custom Claims. This is particularly adapted for storing user roles, e.g. paid user.
Custom user claims are accessible via user's authentication tokens, therefore you can use them to modify the client UI based on the user's role or access level. See more details here in the doc.
To get the Claims in the front end, you can do as follows:
firebase.auth().onAuthStateChanged(function (user) {
if (user) {
user.getIdTokenResult()
.then((idTokenResult) => {
// Confirm the user is a paid user.
if (!!idTokenResult.claims.paidUser) {
// Show admin UI.
showPaidUserUI();
} else {
// Show regular user UI.
showRegularUI();
}
})
.catch((error) => {
console.log(error);
});
}
//...
}
It is important to note the following section in the doc:
Custom claims are only used to provide access control. They are not
designed to store additional data (such as profile and other custom
data). While this may seem like a convenient mechanism to do so, it is
strongly discouraged as these claims are stored in the ID token and
could cause performance issues because all authenticated requests
always contain a Firebase ID token corresponding to the signed in
user.
Use custom claims to store data for controlling user access only. All other data should be stored separately via the real-time database
or other server side storage.
Custom claims are limited in size. Passing a custom claims payload greater than 1000 bytes will throw an error.

Firebase database schema

I can't understand the way Firebase db works.
Yes, I know it is a JSON with my data, I know the ways to set one-to-many and many-to-many relationship between different objects. But is there any way to set up some kind of "schema" to database?
An example to understand what I mean: what if I'm creating an Android app, using Firebase SDK, and my friend is creating an iOS app. I'm pushing this to "users": {name: John, city: LA}. And my friend makes a mistake, pushing {name: Tom, cety: NY}. Than, trying to get Toms city - what will I get? Null?
Is there a way to specify a structure to saved data. In Firebase console I see only way to add exact values, not specify the way it should be structured. How to tell other developers, or "me-in-the-future" that my users should contain, for example "name", "gender" and "dog_eyes_color"?
Hope you understand me.
To answer your question, Firebase is a schema-less database. If you push data to a node
users
uid_0
name: John
city: LA
and your friend adds another user
uid_1
name: Frank
cety: NY
Then your users node will have two users with children that have different keys; city vs cety.
As Frank mentioned in his comment, you can 'catch' and prevent data from being written to a node that's invalid. However, ponder this class:
class User {
userId = ""
name = ""
city = ""
func saveToFirebase() {
myRef.setValue( user id etc etc)
}
}
and you tell your friend that any time they want to store a user in Firebase, to use that class. You now have a standardized model in which to interact with Firebase. That class (or structure or whatever you use) defines a schema to work with.
The Firebase database (NoSQL) provides a mechanism for storage and retrieval
of data which is modeled in means other than the tabular relations
used in relational databases
And as a followup to the users question: Firebase DOES store user authentication data 'in the back end' which is not directly accessible (queryable) to the developer. The idea here is that when a user is created in Firebase with Firebase functions such as createUser(), you are provided the user id (UID) of that user when it's created and that's what you can use to store additional information in a /users node you create.
users
uid_0
name: Frank
location: LA
fav_food: Pizza
uid_1
name: Leroy
location: NY
fav_food: Tacos
.validate....
I would not leverage .validate rules to define a structure (schema) or keep other developers in check. Providing coding tools such as the Users class mentioned above will provide far more flexibility and less aggravation (and coding) in the long run and will be much more maintainable.
how about this way of implementation
class User {
constructor(name, city) {
this.name = name;
this.city = city;
return {
name: this.name,
city: this.city,
};
}
}
const saveDocument = function (collectionName, obj) {
db.collection(collectionName)
.add(obj)
.then((docRef) => {
console.log("Document written with ID: ", docRef.id);
})
.catch((error) => {
console.error("Error adding document: ", error);
});
};
saveDocument("user", new User("Jhon", "NY"));
The following answer goes for anyone using Firestore and having this same question.
Firebase security rules, this video does an amazing job explaining them, are a way in which you can sort of create schemas.
An important consideration when using these rules is that if you're using the Firestore Admin SDK (used for backend code) then your rules will be bypassed. To enforce this rules the request must come from a client SDK. I think that one of the best things about Firebase is serverless computing so this type of validations should work just fine with most requests considering they come from the client.
To validate requests coming from a source that bypasses the basic security rules make sure to set up Identity and Access Management (IAM) for Cloud Firestore.

Firebase - Adding properties to authenticated user [duplicate]

I'd like to add a property to a Firebase user object. The user documentation says that I can only store additional properties using the Firebase real time database.
I am unsure on how this can works in practice.
What does the following mean in practice?
You cannot add other properties to the Firebase User object directly;
instead, you can store the additional properties in your Firebase
Realtime Database.
I interpret it as following:
"you cannot modify properties of a FIRUser object but you can combine this with additional objects"
I found the set function documentation which I interpet in this way:
var userRef = ref.child("users");
userRef.set({
newfield: "value"
});
Is this a sensible approach?
You're almost there. In the legacy Firebase documentation, we had a section on storing such additional user data.
The key is to store the additional information under the user's uid:
let newUser = [
"provider": authData.provider,
"displayName": authData.providerData["displayName"] as? NSString as? String
]
// Create a child path with a key set to the uid underneath the "users" node
// This creates a URL path like the following:
// - https://<YOUR-FIREBASE-APP>.firebaseio.com/users/<uid>
ref.childByAppendingPath("users")
.childByAppendingPath(authData.uid).setValue(newUser)
I've added a note that we should add this information in the new documentation too. We just need to find a good spot for it.
According to the Custom Claims documentation,
The Firebase Admin SDK supports defining custom attributes on user accounts. [...] User roles can be defined for the following common cases:
Add an additional identifier on a user. For example, a Firebase user could map to a different UID in another system.
[...] Custom claims payload must not exceed 1000 bytes.
However, do this only for authentication-related user data, not for general profile information, per the Best Practices:
Custom claims are only used to provide access control. They are not designed to store additional data (such as profile and other custom data). While this may seem like a convenient mechanism to do so, it is strongly discouraged as these claims are stored in the ID token and could cause performance issues because all authenticated requests always contain a Firebase ID token corresponding to the signed in user.
Use custom claims to store data for controlling user access only. All other data should be stored separately via the real-time database or other server side storage.

Resources