This question already has an answer here:
How to use Google relyingparty to disable user Firebase?
(1 answer)
Closed 4 years ago.
Is there any way to disable/deactivate a firebase user account programmatically?
The admin has the opportunity to do it in the Authentication Tab in the firebase console but how to do it in code?
I have not tried anything in code as i did not find any methods.
The Firebase Admin SDKs have the ability to disable user accounts. For example, on Node.js, you'd do this with:
admin.auth().updateUser(uid, {
disabled: true
})
For examples in the other supported languages, see the documentation on updating a user.
Note that the Admin SDKs are designed to be used in trusted environments only, such as your development machine, a server you control, or Cloud Functions. You cannot run this code in the client-side app, as that would allow any user to disable any other user's account.
Related
I'm developing a mobile app using Firebase and its email authentication feature. I found that there are some unknown sign up with email with 21cn.com domain even though I'm not publishing the app yet. It seems like these email addresses are related to this website(https://mail.21cn.com/w2/).
Is there a way to prevent these unknown signup from outside or how can I improve the project safety?
I was looking around even in my projects and it is not possible to audit who and/or how added the accounts for Firebase Auth (not even in the Activity logs in the GCP Project associated with your Firebase Project)
So, if you don’t know those accounts, I’d suggest deleting them. Also, if the app is not yet published, maybe someone else (if more users are implied in the project) added those accounts directly to Firebase Auth.
Also you may want to change the password of your account.
In general the security of the Firebase Console is up to you.
This question already has answers here:
How to create Firebase Authentication claims?
(3 answers)
Closed 3 years ago.
In my application I use firebase authentication and Google account as credentials provider. I would like to assign roles to users. In order to do it I would like to add custom claims to the authentication token a user gets during login. And here is my problem because I don't know how to add claims to existing user from the firebase console.
There is currently no way to set custom claims for a user in the Firebase console. If you think this would be a useful addition, file a feature request for it.
In the meantime the easiest way to add a custom claim is to do so from the a terminal window/command prompt using a small Node.js script like this:
admin.auth().setCustomUserClaims(uid, {admin: true})
Also see:
How to create Firebase Authentication claims?
I'm writing an app with Flutter and Firebase (using both Firestore, Storage and Authentication so far).
Currently the app shows content from Firebase, but now I'm trying to figure out how the best way is to implement writing/editing/removing stuff in Firebase.
The goal is to have users with admin privileges.
My question is if I can build an Admin Panel inside the client app (which would be ideal), or if that's considered bad practice and I should build an Admin Panel in another app and using Cloud Functions.
For example, currently I perform Authentication (signup/register) in the Flutter/Dart code and when registering it creates a field in Firestore isAdmin = false, which I then can manually set to true (if I want) in the Firestore console. Could this somehow be an "unsafe" way of doing this?
The goal is to have users with admin privileges
Since you are using the Authentication service you already have half of the solution: with authentication you can identify each user who is using your app.
The other part is Authorization: this is normally done with Security Rules in Firebase, both for Firestore and Cloud Storage.
To be able to authorize certain users (identified through authentication) with Admin privileges, you need to know which users have the admin role in such a way you authorized them to execute the admin functions.
One possible way to identify the admin users is to have an isAdmin flag in some user documents in Firestore, as you mention in your question. There is an example of Firestore Security Rule using this approach in the documentation.
HOWEVER, you will encounter some problem if you want to use this flag (stored in Firestore) with Security Rules for Cloud Storage. At the time of writing, it is not possible to read the value of a Firestore document in Security Rules for Cloud Storage.
The solution is to use Custom Claims. You will find all the details in the doc on how to implement it in such a way it fulfill your needs.
Can I build an Admin Panel inside the client app?
Yes, you can very well do that. As soon as your security is correctly implemented (through Authentication and Security Rules, as explained above), there is nothing that prevents you to develop an Admin panel. If a user that is not admin can access the Admin panel, he/she will not be able to perform the admin actions (i.e. writing/editing/removing Firestore or Cloud Storage data).
Moreover, with Custom Claims, you can access them in the front-end to modify the client UI based on the user's role or access level (i.e. showing the pages, buttons and menu items of the Admin module only to admin users -note however that this does not prevent someone to reverse engineer your app and execute the queries dedicated to admin users: this is why it is key to correctly implement the Authentication and Security Rules parts-). See this section in the Custom Claims doc.
Should I build an Admin Panel in another app and using Cloud
Functions?
If you don't want to over-complexify your app with some logic to hide/show the Admin panel elements (based on Custom Claims, see above) you can very well build the Admin Panel in another app.
If you have specific needs/access restrictions that cannot be implemented through standard Security Rules you could very well use some Cloud Functions to check the user is an admin and to execute the writing/editing/removing admin actions (note however that while it is quite easy to interact with Firestore from a Cloud Function, it can be a bit more tricky with Storage: using the Cloud Storage Client SDKs is much easier than interacting with Cloud Storage through Cloud Functions).
You would preferably use Callable Cloud Functions, since "with callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests". (See https://firebase.google.com/docs/functions/callable).
Side Note: You may be interested by this article, which details how to to create an Admin module for managing users access and roles. (Disclaimer: I'm the author).
the idea of creating an admin panel for any flutter app
The idea is for two applications with different names and they will be linked to each other with Firebase
for more details see the video from the link
https://youtu.be/d7qoff-I8BU
I need to see not total number of user. i only want them who are currently active (not signed out user) to my app through email and password. I want to see it from firebase console. help me please.
The Firebase Console doesn't show the number of users that are currently signed in to Firebase Authentication.
If you want to know how many users are actively using your app, you'll have to build something yourself.
Gaurav's comment about using an Analytics tool is a good hint. Even though Firebase's analytics SDK isn't available for the web, there are other analytics tools out there that would allow you to track the number of active users.
Another way is to write some information to a cloud database each time a user takes an action in your app. Then you can query that database to determine how many unique users recently took actions. That is actually pretty much what most analytics packages to. :)
A final option would be to use the Firebase Realtime Database's presence system, which uses a more active approach to detect how many users are currently connected to the database.
This question already has an answer here:
Is there a way to add security rules that apply to admin in Firebase?
(1 answer)
Closed 4 years ago.
I have firebase rules to restrict users from accessing certain part of my firebase databases, but how can I restrict the user initialized with Firebase Admin SDK to delete my firebase database nodes?
Thank You
When accessing Realtime Database using the Admin SDK, it has unrestricted access to your database by default. Security rules don't apply.
The only way to restrict the Admin SDK is to initialize it with UID that forces it to behave as if it authenticated as user with that UID. This is described in the documentation using databaseAuthVariableOverride. There is also another answer on SO that describes what to do for nodejs. If you scope access like this, your security rules will have to specifically call out that UID in the rules to limit its access.