I have one project based on firebase in which i have multiple apps having same code but white labeled data.
All users are authenticated by firebase authentication.
Now the Problem is when one authenticated used tries to login in the one white label app it logged in sucessfully but when same users who is not registered in another white labeled app also logged in as same authentication process because of one authentication for all apps in same project in firebase.
so I want to know how to differentiate the users in same firebase project with multiple apps ?
sorry for poor english
You can use Custom Claims to track which user have access to which apps. Note that this require you to use Cloud Functions
Custom Claims documents: https://firebase.google.com/docs/auth/admin/custom-claims
Cloud Functions sample code:
admin.auth().setCustomUserClaims(uid, {whiteLabelApp1: true}).then(() => {//do something here if you want});
And for client code, just refer to the docs
Related
I am currently developing multiple apps with Firebase and I have a doubt. I have a user and an admin. My problem is if I am using the same firebase database, will the user be able to sign up into Admin's app using his credentials or both app will have different authentication. I don't want the user logging into the admin app with user credentials. If it is possible, what can I do to avoid it?
I haven't done trying it.
Can I use multiple apps on a single Firebase database?
Yes, you can.
Will it use the same auth or a different auth?
If both apps are added to the same project, then the authentication will be the same for both projects. This means that the user can use the same account for both projects. This also means that both apps can write/read data to/from the same database.
You can solve this in multiple ways
Have a different collection to store the data of the admins and then check on the login if the email is present in the collection
With the Rules of Firestore
I'm writing an app with Flutter and Firebase (using both Firestore, Storage and Authentication so far).
Currently the app shows content from Firebase, but now I'm trying to figure out how the best way is to implement writing/editing/removing stuff in Firebase.
The goal is to have users with admin privileges.
My question is if I can build an Admin Panel inside the client app (which would be ideal), or if that's considered bad practice and I should build an Admin Panel in another app and using Cloud Functions.
For example, currently I perform Authentication (signup/register) in the Flutter/Dart code and when registering it creates a field in Firestore isAdmin = false, which I then can manually set to true (if I want) in the Firestore console. Could this somehow be an "unsafe" way of doing this?
The goal is to have users with admin privileges
Since you are using the Authentication service you already have half of the solution: with authentication you can identify each user who is using your app.
The other part is Authorization: this is normally done with Security Rules in Firebase, both for Firestore and Cloud Storage.
To be able to authorize certain users (identified through authentication) with Admin privileges, you need to know which users have the admin role in such a way you authorized them to execute the admin functions.
One possible way to identify the admin users is to have an isAdmin flag in some user documents in Firestore, as you mention in your question. There is an example of Firestore Security Rule using this approach in the documentation.
HOWEVER, you will encounter some problem if you want to use this flag (stored in Firestore) with Security Rules for Cloud Storage. At the time of writing, it is not possible to read the value of a Firestore document in Security Rules for Cloud Storage.
The solution is to use Custom Claims. You will find all the details in the doc on how to implement it in such a way it fulfill your needs.
Can I build an Admin Panel inside the client app?
Yes, you can very well do that. As soon as your security is correctly implemented (through Authentication and Security Rules, as explained above), there is nothing that prevents you to develop an Admin panel. If a user that is not admin can access the Admin panel, he/she will not be able to perform the admin actions (i.e. writing/editing/removing Firestore or Cloud Storage data).
Moreover, with Custom Claims, you can access them in the front-end to modify the client UI based on the user's role or access level (i.e. showing the pages, buttons and menu items of the Admin module only to admin users -note however that this does not prevent someone to reverse engineer your app and execute the queries dedicated to admin users: this is why it is key to correctly implement the Authentication and Security Rules parts-). See this section in the Custom Claims doc.
Should I build an Admin Panel in another app and using Cloud
Functions?
If you don't want to over-complexify your app with some logic to hide/show the Admin panel elements (based on Custom Claims, see above) you can very well build the Admin Panel in another app.
If you have specific needs/access restrictions that cannot be implemented through standard Security Rules you could very well use some Cloud Functions to check the user is an admin and to execute the writing/editing/removing admin actions (note however that while it is quite easy to interact with Firestore from a Cloud Function, it can be a bit more tricky with Storage: using the Cloud Storage Client SDKs is much easier than interacting with Cloud Storage through Cloud Functions).
You would preferably use Callable Cloud Functions, since "with callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests". (See https://firebase.google.com/docs/functions/callable).
Side Note: You may be interested by this article, which details how to to create an Admin module for managing users access and roles. (Disclaimer: I'm the author).
the idea of creating an admin panel for any flutter app
The idea is for two applications with different names and they will be linked to each other with Firebase
for more details see the video from the link
https://youtu.be/d7qoff-I8BU
I want to develop an Ionic app for android and ios using firebase backend.
Requirement:
1. I want to use anonymous authentication silently so that user does not have to be worry about login.
2. I just want to display list of some items on the home page using Firestore api.
Question/Problem:
1. How does firebase will get to know that only the my app using the firestore get api.
2. If I am storing api credentials/secrets in my android app and if other user somehow knows these credentials, will that person be able to use api on behalf of my credentials and I will not be able to track the usage.
Top Level:
If someone know my firebase api credentials/secrets, will that person be able to utilize my firebase quota in case I am using firebase anonymous authentication.
Thanks in advance.
The settings you use to initialize the Firebase SDK are not "secrets". It's all very much public information that identifies your app from all the other Firebase apps out there. Every Firebase app has a similar set of public data. Once you publish your app, you should assume that everyone is able to see that data.
This means that anyone can use that data. That's why it's important to use Firebase Authentication along with security rules to make sure that people logged in can only make use of whatever resources you specify. That's the only way to lock down the data in your Firebase project. If you are concerned about security, then you should be thinking about your security rules from the very beginning.
I have a Firebase project, which I'm currently using with android. I need to programmatically fetch details of the users authorized along with the UID, Email, etc. Exactly the way it is shown in firebase (with the search), this web portal will be given to the vendor or the person using it to verify the user's authenticity.
I've attached the screenshot from Firebase, I'm hoping to replicate it the same way with the search. If this is possible, how do I go about doing this?
It's not possible to list users from an Android app, using only the Firebase Authentication SDK. You can list users using the Firebase Admin SDK, but that can only be run on a backend you control, using service account credentials for your project.
It might be easier if you store user info in a database, to be queried by client code, rather than try to have your app try to access auth data directly.
In my project we have a sort of admin frontend app that manages data from children apps. Each child app has its own firebase database and the admin app has stored information on its own firebase database on how each child firebase app is structured and such. In addition, each client firebase app has its own Android and iOS clients that reads data from the realtime database.
The authentication on the admin app is done through username/password login and are only available to some pre-registered users.
The question is
How can I properly authenticate the signed-in user on the client apps? Is there a way to re-use the current ID Token to sign in to other apps?
One solution I can think of is making a backend just to generate JWTTokens for each child app, but there should be an easier way to obtain what I want...
Now you can have multiple apps in one Firebase project. That way, your users can easily sign-in and modify their User information in both apps.
Note: Well, it's been more than a year since this question asked. But, hopefully you already found the answer.