my app is fetching data from a Firestore database but this data should only be accessible to users who are currently subscribed to In-App-Purchases.
What is the best way to protect this data?
My first thought was routing everything through a Firebase Function, so the user has to send their subscription ID to the function, the function checks it and returns the data, but this would require way too many function calls for just a few users.
If you are not using any server client libraries then you can create a rule on firestore to restrict the reads on the table.
firestore rules docs..
You could simply check if the requesting user has subscribed to In-App-Purchases (assuming there is a flag in the user's data to confirm the same).
Related
I have a step in my new user flow where a user is registered with Firebase auth, and then a record is written to Firestore.
Is there a straightforward way to put both the user registration and the firebase write into a transaction, so if either one fails, they both fail?
Is there a straightforward way to put both the user registration and the firebase write into a transaction, so if either one fails, they both fail?
There are no Firebase products that support cross-product transactional operations. You'll have to nest both calls and always handle the errors. So do the authentication, and then write the data to Firestore or the Realtime Database.
A more convenient way of handling this situation would be to trigger a Cloud Functions in response to the creation of a Firebase user account. In this way, you will only need to handle a single operation on the client.
I am looking to use the https.onCall to accept some input from a user (such as data about another user). I'd then like to do some advanced processing on that data including retrieving sensitive data from other entries on my firestore that should not be exposed. Depending on the outcome of that analysis, I will update other locations in the database. However, I am concerned about the security of the original call and its source. I know that I have the context parameter on the onCall to verify the source was logged in, but I'd like to apply security rules to the final write based on the context.auth provided to the cloud function.
The security rules are straight forward for normal database operations but not if I'm doing an operation (seeded by a normal user) routed through the Admin SDK.
Thoughts?
but I'd like to apply security rules to the final write based on the context.auth provided to the cloud function
As you are aware that you can identify which user made a call to functions as well as that Admin SDK has super-access to database, the general flow should be to write functions in a way that they only edit documents that should be editable by the user.
If you had still like to narrow down access, you can do that for firebase database by passing databaseAuthVariableOverride when initializing admin app.
Read more on authenticating with limited privileges
When you use the admin SDK, or any of the server SDKs, it always bypasses all security rules. Rules only apply to access coming directly from web and mobile clients using the client SDKs.
If you need to apply some sort or restricts to data written from your backend, you will need to code that into the logic of your backend code. Security rules will be of no help.
My project is creating a website using firebase, but it is using the internal authen micro service instead of Firebase authen.
Every time the user logs in, the internal authen service will generate a token (I call it client_id), and send it to the client.
This token is also stored in the user collection.
Please help me how to write rule for the user via this client_id.
If it is write role, I can send the client_id via mothod update, delete, create and get it out by
request.resource.data.cliend_id and check it.
But if it is read role, I don't have any way to send to the client_id via the get method to authenticate users
I even thought of replacing all the get methods with the update methods to pass the client_id
But the response of the update method is just the update_time, not the object I updated
Firebase RTDB & Firestore Rules uses their own auth only. In every request that firebase client library sends uid along with jwt token and other security parameters. These are fundamental to firebase's working and thus can't be replaced.
As Aleksey mentioned, you can try custom auth. It is specifically tailored for such use cases only.
There is no way to provide extra data to security rules for the purpose of limiting read operations. That would not be secure at all, because a client could simply fake whatever they want in the query.
You can only use information provided by Firebase Auth available in request.auth, the data in the document itself in resource.data, or the contents of other documents using get(). If you want to attach additional data to the user account, consider using custom claims.
I need to check a document's data in Firestore to allow someone to view an image in Firebase Storage. Is this possible?
It is currently not possible to access Cloud Firestore documents directly from Cloud Storage rules. You have two options:
Somehow use Firebase Authentication custom claims on the user account to determine if a user should be able to access a file.
Use some backend code (maybe a Cloud Functions HTTP trigger) that the user accesses to download the file if the conditions are met.
In either case, you will need some backend code that checks and sets the appropriate data.
I have been exploring Firebase and from my first impressions it looks really good.
I will use Auth for authentication because it's simple and I do not want to write yet another sign in/up system.
I have been looking at firestore for saving data, because it's simple and I do not have to manage a server.
And here comes the problem; Many of the examples I have seen put rules to show only the current rows with "ID" the Auth UID which they pass from the client.
But can the user can decompile my app, change the UID to other user's UID and read/write to their data?
Is this true or am I missing something?
UIDs are handled by Firebase on the server side. There is no way to reverse engineer an app and change the UID.
If for some reason a user does that or anything similar, he won't be able to login to the app thus won't have access to the data stored on Cloud Firestore.