1. The Context of the Problem
In my app, I'm creating a screen where the user could see other people's ranks. For that, inevitably, I'm going to need other users' names, profile pictures, etc. So, is there a way of querying that info through Firebase's authentication API? Or, for example, would I have to save that kind of data in a separate collection when the user logs in for the first time — doesn't sound like a good security practice to me.
2. How I think it would look like
I imagine the workflow would look a bit like this:
// ...
for (String userEmail in listOfUserEmailsInRanking){
UserInfo userData = FirebaseAuth.instance.getUserData(
email: userEmail
);
userDisplayName = userData.displayName;
userPhoto = userData.photoUrl;
// ...
}
My idea is that there should be some API following the example of displayName and photoUrl, which are both properties available from the FirebaseAuth.instance.currentUser() method.
It is not possible to use the Firebase Authentication client API to allow a user to query for other users. If you want to expose user account data to other users, you should write some code to write the required user data to a database, and query the database instead.
If you have concerns about security, and you're using a Firebase data (Realtime Database or Firestore) then look into using security rules to determine who can read and write its data.
Your second option can be implemented without compromising security. If you really intend to share some user data (which I suppose is not sensitive) you can create a shared separate collection of just that data and link it to the owner through some ID which you also keep in a private collection of that owner's properties.
Related
I've started designing a referral system and wanted to use firebase auth UIDs as the referral code for each user, however they're longer than I'd like and also not guaranteed to stay small. I've looked into some libraries for short text compression, hashing, etc; But none seem to satisfy my needs. I've recently came across the lovely short-uuid pkg on npm but unfortunately it doesn't seem it works with firebase UIDs(because those aren't UUIDs) but i've been looking for a possible solution that doesn't involve keeping a lookup table of custom IDs to UIDs.
So the real question: is there any good way to compress a short string programmatically and then decompress?
There is no way for you to control the UIDs that Firebase Authentication generates in its various providers.
If you want to use a shorter/friendlier scheme for identifying your users, some options are:
You can generate a shorter ID yourself, and maintain a mapping of those IDs to the ones that Firebase generates. You'll typically want to include a uniqueness check for your shorter IDs, as the chances of collisions rapidly go up for the shorter strings.
A common example of a friendlier identifier for users is to allow users to pick a unique username. This is essentially a variant of the first option, but now with a user-selected ID. Here too you will need to perform a check to prevent duplicates.
You can also creating a custom provider that plugs into Firebase Authentication. When doing this, you control the UID that Firebase uses too. Here you are responsible that the UIDs your provider generates are unique not just within your own provider, but across all providers you've enabled for your project.
As #FrankVanPuffelen explained there is no way for you to control the UIDs that Firebase Authentication automatically generates.
But with the createUser() method of the Admin SDK you can define which UID you want to assign to a new user. As explained in the doc, "if you instead want to specify your own UID for the new user, you can include it as an argument passed to the user creation method"
await admin.auth().createUser(
{
uid: 'some-uid',
email: 'user#example.com',
password: '....',
}
);
You can run this code in a Cloud Function or on a server you own.
Of course, you need to ensure that the user's UID is unique for each user.
I'm trying to get the UID of the user authenticated by firebase web sdk, in the cloud function. The cloud function is triggered by onWrite event of cloud firestore.
This function is triggered when the logged in user is creating/updating items to the cafe. The authentication is handled by Firebase Auth. The security rules enable write only for logged in users. So this event could be tied to a user.
export const cfun = functions.firestore.document('cafes/{cafeId}/items/{itemId}').onWrite(async event => {
// trying to get the uid here
})
There are examples in the docs that deals with the userId, but in all those cases the userId is part of the document path. But in this model the user is not part of the path, as a cafe could have multiple owners and so could be manipulated by many users. So adding userId to the path is not an option.
It looks like a common case for serverless architecture.
#
Update: Functions triggered by firestore doesn't have event.auth populated. Looking for suggestions on modelling the following requirement.
In the data-model, I've got cafes and owners. Each cafe could be owned by many owners and a cafe could be transferred to some-other owner at a later stage. So the cafes are modelled as /cafes/{cafeId} and everything that belongs to the cafe as /cafes/{cafeId}/items/{itemId} etc.
We also need to query cafes based on different params, if modelled below users it becomes difficult. For these reasons the cafe cannot be modelled as /users/{userId}/cafes/{cafeId}.
As far as security rules are concerned, I could control write access using get(<>) to determine who gets write access to cafes. There is no problem with the security.
I feel that the execution context should provide all available information and let the developers handle it appropriate for their use case. And for serverless apps userId is a must.
If event.auth is not provided in the function, then this restriction will force items that does not belong to users to be modelled /users/{userId}/<item_name>/{itemId} just for the sake of accessing the userId in the cloud functions. This doesn't feel natural.
Also right now there is no way to figure if the cloud function is triggered because of the changes performed in the console. The event.auth info that is available for firebase database triggered functions will be perfect to handle all cases.
Any suggestions regarding how to remodel this case is appreciated as well.
#
Thanks in advance,
I have been facing a similar issue. In Firebase, it was easy - you simply took the data from event.auth. I would assume this is simply a feature not implemented yet while we are in the beta phase of Firestore. Adding the user id to the path does not work as you previously mentioned as it will constantly be changing depending on the user making the update.
My scenario is that I want to create a "lastUpdatedBy" field in the object being updated. If we were to allow the client to send in a lastUpdatedBy field in the payload, this could be abused by a rogue client (i.e. someone with a authenticated account) trying to impersonate someone else. Therefore in Firebase we relied on a cloud function to populate this field on data change events.
My workaround is to allow the client to insert the "lastUpdatedBy" field but additionally use the Firestore rules to validate that the userId in the payload matches that of the logged in user - otherwise deny the write request.
Something like:
match /collectionA/{docId} {
allow update: if request.resource.data.lastUpdatedBy == request.auth.uid;
}
Until Google/Firestore guys add the "auth" object to the cloud function I don't see any other workaround but would love to hear differently.
Since Cloud Functions 1.0 you can get the UID like this
exports.dbCreate = functions.database.ref('/path').onCreate((snap, context) => {
const uid = context.auth.uid;
const authVar = context.auth;
});
Here is a nice post from the FB team for all CF1.0 changes: https://firebase.google.com/docs/functions/beta-v1-diff#event_parameter_split_into_data_and_context
The data of context.auth can be found here: https://firebase.google.com/docs/firestore/reference/security/#properties
Our current Firestore structure is as follows:
Currently we are not using any subcollections
Users have list of companies to which they belong
Every project is connected only with 1 company
Project belongs to a company, when in companyId field is written that company UID
My 1st question is how we can specify security rules defined by this database? Is there some best practice approach?
Our first idea was to do this:
match /databases/{database}/documents/projects/{projectUid}/{document=**} {
allow read: if
(/databases/$(database)/documents/projects/$(projectUid)/companyId) ===
(/databases/$(database)/documents/users/$(request.auth.uid)/companyId)
}
But according to the documentation this would mean that we would have for each read basically 3 reads (2 queries for security and 1 real read from DB). This seems like a waste of queries.
Is there a better approach than this?
We were thinking about changing to subcollections:
at the end we would have in root collections 'companies' and 'users' (to store all users details)
projects would be subcollection of companies
pages would be subcollection of projects
...etc
and companies would contain list of users (not the other way around like now) - but only list, not user details
This way we can use similar approach as from the doc, where each match would contain {companyId} and in allow statement we would use something like
match /databases/{database}/documents/companies/{companyId}/projects/{projectId} {
allow read: if
exists(/databases/$(database)/documents/companies/$(companyId)/users/$(request.auth.uid));
}
Thanks for any recommendations on how to build it in the most scalable and especially most secure way.
Have you considered adding a user's company ID as a custom claim to their profile? That way no additional reads are needed in your security rules.
Since setting these claims requires the Admin SDK, it will require that you can run trusted code somewhere. But if you don't have your own trusted environment yet, you could use Cloud Functions for that e.g. based on some other action like writes to your current Firestore structure.
Adding an answer to Frank.
Borrowing from other API SDKs such as microsoft graph, typically to make a resource request you start by initializing a Client object with an authentication token representing the scope/rights of the user. For example:
const client = new SDKClient(my_auth_token);
The client constructor would have a token validation step on claims. You can then make REST calls such as
const response = await client.someEndpoint({ method: 'POST', body: my_object });
I suggest rather than using the admin SDK for read/write to your firestore, you use the regular firebase nodejs client. To restrict access with security rules, pass a firebase JWT token into this custom SDKClient class with the token that you obtain from the header of your requests. In the constructor, initialize a new firebase 'app'. Because a regular firebase client is
subject to security rules, this will do what you're looking for.
Some example code has already been offered in this answer.
I should add that according to this firebase doc there is a 'warning' to use the admin-sdk server-side, but I'm not sure I see why.
One approach I've thought of for something similar that we are working on, that is, private chatrooms where only certain users have access, is to encrypt all messages with an on-server key, and only grant read access for that key to certain users. That way the extra read only has to occur one time, just when getting the key for the first time, then normal reads with no additional security rules are fine, as an attacker wouldn't be able to do anything with them since they are encrypted and they don't have access to the key.
Somehow I still have a understanding problem with firebase rules and need some input from you guys.
Lets say I have a user node with all my users. Each user contain sub-nodes for things like email, name, phone etc.
My basic firebase rule says now that only the user with the correct id can edit/write/read in his own node. This works all fine. But now I do have situations like another user search for a friend and there for I need to search for example in all my users for a name or email BUT since my rule does not allow to read userdata except if the user is the owner of his own data I dont know how to solve this. I cant use a rule to give every authenticated user READ rights for the other users data BUT I still would like to search for example for a email address in the other users data. This confuses me all a lot.
The only thing I can think of is to run parallel a complete separated list with something like public informations and keep the rule that everybody can read (not write) in this list. BUT THEN again I have the issue that somebody could easy access my entire user-list (emails for example) if I keep them inside the public list.
I would be happy if somebody can point me into the right direction. I have no idea where to start to set this up from the start correct.
What is the best approach to do something like this?
Hey I'm not a pro or affiliated with Firebase. But as I have encountered same type of problems I share my thoughts with you.
I don't think allowing users to search others based on emails stored in a Firebase node and directly from client side is entirely safe. Searching based on somethign like userName is ok because it is scoped to your app.
If you must, then I would either make it a 2 step process using Firebase functions (which you can put another layer of security check in there also no user is directly reading from database) or introduce other parameters that all need to pass for a successful query. Something like a temporary unique id that expires after awhile.
If you still want to share emails, you can store user's sensitive information in a separate node and only save what you really need to expose to others in a public node which can still have some security rules protecting it form access of someone who is not logged in, for instance and you map the emails by UIDs.
Just some thoughts.
EDITS
You can provide a way for users to be able to search others by username (similar to instagram for instance.) and in firebase you only have to connect each username with their UID. So people can find each other via username. Imagine this in firebase (you can do the same of emails so a person making request need to know an email to get UID not the other way) :
user_names : {
alice_d: UID,
bob_ross: UID,
....
}
You can later search for any user name without exposing others simply by using .equalTo() in your query or run more complex queries via FireStore (I am new to it too) or using a search system that has your data indexed already like Algolia.
Facebook provides further information such as list of friends if you app is approved so you can always use that list to suggest friends granted that users have logged in by Facebook O'auth and your app has the priviledge to see friends lists.
See here for how to verify a user making https requests in Firebase functions. In your function you can do the search and only return what is safe back to the client. (keep in mind the speed might be an issue unless your function is running frequently). And for making the request from client side, you do something like this.
_makeRequest: function() {
this.user.getIdToken().then(function(token) {
//token is a long string JWT token used to identify the user to a Firebase service.
var req = new XMLHttpRequest();
req.onload = function() {
/*you return the result in your function*/
if (JSON.parse(req.responseText).rslt === "SUCCESS") {
}
}.bind(this);
req.onerror = function() {
}.bind(this);
/*attaching location key*/
req.open('GET', 'https://us-central1-rest-of-function-address-found-in-
firebase-functions', true);
req.setRequestHeader('Authorization', 'Bearer ' + token);
req.send();
}
You can also make this happen by writing something to database and have a function to run onCreate(), see here if you need more info on Firebase functions. Hope this helps.
If you want to allow any user to find any other user by their email address, that means that users must be able to read email addresses. If you don't want them to be able to read the full profiles, you'll want to set up an extra data structure that maps email addresses to UIDs:
emails: {
"theeben#domain,com": "uid5601401",
"puf#theotherdomain,com": "uid209103"
}
With this structure you're only exposing the email addresses.
But to be honest, that is still exposing quite some information about all users. Nowadays, I'd consider implementing the search using Cloud Functions for Firebase. That way your API is a function findUser(email): uid type function, exposing only the minimal information.
I'm trying to get the UID of the user authenticated by firebase web sdk, in the cloud function. The cloud function is triggered by onWrite event of cloud firestore.
This function is triggered when the logged in user is creating/updating items to the cafe. The authentication is handled by Firebase Auth. The security rules enable write only for logged in users. So this event could be tied to a user.
export const cfun = functions.firestore.document('cafes/{cafeId}/items/{itemId}').onWrite(async event => {
// trying to get the uid here
})
There are examples in the docs that deals with the userId, but in all those cases the userId is part of the document path. But in this model the user is not part of the path, as a cafe could have multiple owners and so could be manipulated by many users. So adding userId to the path is not an option.
It looks like a common case for serverless architecture.
#
Update: Functions triggered by firestore doesn't have event.auth populated. Looking for suggestions on modelling the following requirement.
In the data-model, I've got cafes and owners. Each cafe could be owned by many owners and a cafe could be transferred to some-other owner at a later stage. So the cafes are modelled as /cafes/{cafeId} and everything that belongs to the cafe as /cafes/{cafeId}/items/{itemId} etc.
We also need to query cafes based on different params, if modelled below users it becomes difficult. For these reasons the cafe cannot be modelled as /users/{userId}/cafes/{cafeId}.
As far as security rules are concerned, I could control write access using get(<>) to determine who gets write access to cafes. There is no problem with the security.
I feel that the execution context should provide all available information and let the developers handle it appropriate for their use case. And for serverless apps userId is a must.
If event.auth is not provided in the function, then this restriction will force items that does not belong to users to be modelled /users/{userId}/<item_name>/{itemId} just for the sake of accessing the userId in the cloud functions. This doesn't feel natural.
Also right now there is no way to figure if the cloud function is triggered because of the changes performed in the console. The event.auth info that is available for firebase database triggered functions will be perfect to handle all cases.
Any suggestions regarding how to remodel this case is appreciated as well.
#
Thanks in advance,
I have been facing a similar issue. In Firebase, it was easy - you simply took the data from event.auth. I would assume this is simply a feature not implemented yet while we are in the beta phase of Firestore. Adding the user id to the path does not work as you previously mentioned as it will constantly be changing depending on the user making the update.
My scenario is that I want to create a "lastUpdatedBy" field in the object being updated. If we were to allow the client to send in a lastUpdatedBy field in the payload, this could be abused by a rogue client (i.e. someone with a authenticated account) trying to impersonate someone else. Therefore in Firebase we relied on a cloud function to populate this field on data change events.
My workaround is to allow the client to insert the "lastUpdatedBy" field but additionally use the Firestore rules to validate that the userId in the payload matches that of the logged in user - otherwise deny the write request.
Something like:
match /collectionA/{docId} {
allow update: if request.resource.data.lastUpdatedBy == request.auth.uid;
}
Until Google/Firestore guys add the "auth" object to the cloud function I don't see any other workaround but would love to hear differently.
Since Cloud Functions 1.0 you can get the UID like this
exports.dbCreate = functions.database.ref('/path').onCreate((snap, context) => {
const uid = context.auth.uid;
const authVar = context.auth;
});
Here is a nice post from the FB team for all CF1.0 changes: https://firebase.google.com/docs/functions/beta-v1-diff#event_parameter_split_into_data_and_context
The data of context.auth can be found here: https://firebase.google.com/docs/firestore/reference/security/#properties