determine if user in auth has firebase admin role - firebase

CONTEXT:
In firebase settings, there's a permissions tab. This shows the users/emails that are associated with accounts that have admin access to the firebase project and console.
I could have sworn I once saw a document describing a method or some way of checking if a user account in firebase auth is also an administrator of the firebase project.
I seriously can't tell if it was in a dream (yes I dream code) or if I actually saw it. I often work late nights and fall asleep in front of my computer.
Question: Is there any way to tell if a user is also an administrator of the firebase app?
IE the user email matches an email that’s listed in the IAM/access management section of firebase as an 'owner' role?
Im currently writing an admin panel for my app, so such a feature would be very useful.
If such a thing does not exist, can anyone suggest an alternative way to manage and authorise users that are capable of logging into the admin dashboard to have control over the app? I already understand custom claims so I will use them if no better solution is suggested.

Well, using only the FirebaseAuth through your app, I don't think you can (as far as my knowledge goes). But you can easily implement the Admin SDK to manage your Custom Claims. Basically, you can use the Admin SDK and find out which "role" you want to access.
Referencing Firebase
Custom claims can contain sensitive data, therefore they should only
be set from a privileged server environment by the Firebase Admin SDK.
and
Custom claims can only be retrieved through the user's ID token.
Access to these claims may be necessary to modify the client UI based
on the user's role or access level. However, backend access should
always be enforced through the ID token after validating it and
parsing its claims. Custom claims should not be sent directly to the
backend, as they can't be trusted outside of the token.
Once the latest claims have propagated to a user's ID token, you can
get them by retrieving the ID token.
Therefore, you'll only need the FirebaseAuth implemented on your app's (client), but will need an extra implementation using a server.
Please see the Firebase use cases, they'll probably fit your needs, and you can pick the one that is "easier" for you.

It turns out it can't do what I wanted in the first place because it's only available on certain triggers.
Here it is: context.authType
https://firebase.google.com/docs/reference/functions/functions.EventContext#.authType
The level of permissions for a user. Valid values are:
ADMIN Developer user or user authenticated via a service account. USER
Known user. UNAUTHENTICATED Unauthenticated action null For event
types that do not provide user information (all except Realtime
Database).
Although it would be great if we could get this information on callable functions and firebase triggers because it would help further secure hosted backend admin apps for customer service or developers, who have high-level access to admin functions. This variable seems to not be available on callable functions but is available on newUser trigger - which is strange, because how can user signup ever be authenticated anyway?

Related

Firebase Authentication setting users to deactive without using currentuser

I am making an admin tool page to allow admins to change users email for when they change or set their account to deactivate so they can not access the site anymore. Everything I have looked at seems to be using 'CurrentUser' but this will not work due to the fact they will be logged in as themselves which is marked as Admin level so they have access to the tool. So is there any way to change a users email for authentication without logging in as them?
If the Firebase Authentication client-side SDKs had an API that allowed you to change the email address of anyone but yourself that'd be a major security risk.
This is the reason an API to update any user by their UID only exists in the Admin SDK, which can only be run on a trusted environment as it requires full administrative access to your project.
If you want to expose this functionality to specific users of your app, you'll have to wrap the relevant call of the Admin SDK into a custom endpoint that you then call from the app. Just make sure to check that the user is authorized, before changing some other user's account.

Have one user signup another user with custom fields in firebase/flutter

I am trying to determine if the following scenario is possible with flutter and firebase:
we have users within the company who will be given access to the app, where on the homepage will be a signup another user button where they enter in that user's email and password, they get signed up, and then the original user specifies custom fields for the 2nd user, such as company name, role, position, etc.
Is this possible with flutter and firebase?
Have asked the flutter google group and was told about custom authentications, but from what I see that is just an external authentication system and doesn't show me how to let one user create another users profile with fields.
Any ideas?
The first thing to consider is whether those properties need to be in the user profile at all. The user profile is sent with every request, and should only contain information that is relevant for securing access. If you have additional information to store about the user, you should store it elsewhere (such as in one of Firebase's databases) using the UID of each user as its key.
Assuming that the information is about security (such as the role seems to be, there is no secure way to let one user set security properties (typically referred to as claims) from client-side code. As soon as this is allowed from client-side code, anyone could set such properties for anyone else. That's why setting custom claims for a user is only possible with Firebase's Admin SDKs, which are designed to run in a trusted environment - such as your development machine, a server you control, or Cloud Functions.
There are a few other options, but it's important to realize they're all implemented on top of the above approach.
There is an experimental extension that allows you to set auth claims by writing a document into Firestore, which something like this (JavaScript syntax, but the Flutter code will be similar):
db.collection("user_claims")
.doc("abc123")
.set({
role: "admin",
groups: ["example1", "example2"],
});
Now of course you'll want to make sure that you secure writing to the user_claims collection, as otherwise you'll end up with the same security risk I mentioned in the first paragraph, where everyone can claim any role they want.
Alternatively you can write your own server-side API (for example on Cloud Functions) that you expose to your application, and that then calls the Admin SDK. Here too, it is important to secure access to this API, to ensure only authorized users can call it.

How to disable user account in Firebase Web JS SDK?

I am using Firebase Auth to authenticate users using the Email/Password Method. Sometimes I detect spam users that create a lot of accounts from one IP address. I want to block them to protect my app.
I know that there is a method called "Disable User Account" in Firebase Console. I want to use it in my project.
I searched in Stack Overflow as well as the Firebase Docs and found that this only can be done in Admin SDK but I want to use it in the Firebase Web JS SDK. So is there a method to do that like user.DisableAccount?
There is no method to disable a specific user's account in the client-side Firebase SDKs, as that would be a security risk.
But if you look at the documentation for updating a user with the Admin SDK, you'll see there is a property disabled that you can set to true.
From that moment in, that user won't be able to sign in or refresh their ID token. Their existing ID token is still valid though, and by default, that means it may take up to an hour for them to get signed out of your app. If that interval is a concern for your use case, have a look at the documentation on managing user sessions, specifically the section on detecting ID token revocation. While more work, this allows you more granular control of the expiration of the token.

How can I prevent Firebase auth users from changing their email address by themselves?

According to firebase doc, it seems that client side SDK allows email address as well as user profile information to be updated directly.
https://firebase.google.com/docs/auth/android/manage-users#update_a_users_profile
If I build an android app without any UI workflow for users to change email address, I am confident that majority, 99.99%+ of the regular users, will use the app as intended.
However, if certain users investigate/reverse-engineers into the app, learns that it uses the firebase, wouldn't it be possible for them to debug and invoke any one of the Firebase Auth client SDK methods provided? (e.g. Wouldn't it be possible for hacker to change email address [not supposed to be allowed in my app after initial registration] & change photo url to point to something inappropriate images?
With Firestore database, I could use security rules to prevent read/writes, but I wasn't sure how I could do something similar in Firebase authentication.
Yes, it's possible for users to get a hold of the token that would be used to call the backend APIs exposed by Firebase Authentication that would normally be used by the SDK. There is no equivalent to database security rules.
The fact of the matter is that users normally should be able to change their email address, as they might actually need to change email provider at some point. If your app doesn't allow this for some reason, and you have a hard requirement to only use the email address provided by the authentication provider(s) you allow, you should consider writing that value to a database at the time the user account is created. Then, use security rules to prevent the user from changing it there. From that point on, you would only ever trust the value initially written to the database, and never use the email address from the auth provider.
You would probably want to handle writing to the database from a Cloud Functions auth onCreate trigger, so that you control all the logic.
I am now facing the same issue, and I think I will just not worry about the 0.01%. This is mostly because if they change their own email with Firebase Authentication via reverse-engineering and my web server is unaware of their new email, this would not have any impact on the other genuine users except maybe not being able to find them (email is only used in searches for now).

Firebase: Implementing Switch / Add Account Features

I am working on Firebase application ( Firebase version 4.1.3 )
My health care related application is made for dependent group of people such as children and seniors. However, most of my users are independent group of people age around 18-55. Most of my users use my application for their seniors/children. They need to create account for each of their family seniors/children member. Therefore, my users have to log in and out many times and they have to keep track of their family members' account. My first thought was I should make an account switching feature so that my user can switch their account back and forth between their family members to update information on my application.
After searches on Google, I found way to force switching account on Firebase authentication with Google provider, but those are not what I'm looking for.
My questions are:
Is it possible to store the multiple firebase auth objects (logged in object) in client side?
If it is possible, for how long will the token inside the firebase auth object last for?
If it doesn't last forever, is it possible to refresh update the token so that it can be use without authenticating with the social/phone login again?
The functionality you are asking for is not available out of the box. You have to build it on your own. I do think Firebase provides the pieces to allow you to build it (via Auth and Database).
Is it possible to store the multiple firebase auth objects (logged in object) in client side: You can have multiple Firebase app instances and each one have an auth instance with a current user. You would need to ask each user to authenticate though (you can't authenticate once and sign-in into all of the account). However, you can build your own user group login mechanism, where logging in with one "master" account can allow you to login with multiple accounts using custom Auth.
If it is possible, for how long will the token inside the firebase auth object last for. Firebase sessions are supposed to be indefinite. If a token expires (typically after one hour), it can be refreshed automatically if you are using real time database.
I do not think Firebase has that token capability. But what you could do is simply put the email address of the people in the device by Shared Preferences( for Android). When the user wants to log in with that user bring the email address just ask him to enter the password and then go through the log in process. If you do not want to use SharedPreferences you could simply store the users(also as you said family members) in Firebase Database and link them with the controller user so to speak. Whenever user wants the switch, go and bring the email addres of other family members from Firebase Database and ask in the client for the password and do the login by Firebase Authentication.Hope that helps!

Resources