Firebase security when not using Authentication - firebase

I am building apps using Firebase (Storage, Functions, Hosting, Real-Time Database and Firestore). In the apps, the user authenticates using a third-party library (like Google connect but not Google).
I don't know how to protect my database because I am not using Firebase Authentication. How can I use this third party authentication to protect data for example? Maybe I need to create a user manually and attach information to him so that this info will be available in the Security Rules editor?
Thanks

I don't think you can secure your database or storage without a form of authentication.
Now firebase provides multiple methods of authentication (email , google, custom , anonymous .....).
What you might want:
You might want to add custom login to your users in which they get registered with extra data that you provide. And they will still get a user id that you will use to check in the rules to allow read and writes along with some custom data you provided while registration (so you can check these data from the rules).

Related

How to Secure Firebase Realtime Database

This image shows the Authentication for my Firebase Database Security: Authentication
I only allow Email/Password Sign-in method, everything else is disabled.
I don't allow my users to sign in manually.
My Android app logs in via code and it uses just one set of Email/Password:
My question is how come I am still getting this warning: Warning
I've followed thru the enter link description here but this sample uses Google sign-in method. And all the other samples or discussion I've read use the same method. Has anyone here tried Email/Password Sign-in Method? Thanks!
That authentication and the firebase realtime database are different things. Your authentication method doesn't control who has access to that database.
This means that anyone who has access to the keys, will be able to access your db. So if your client app (Android / ios / web app) access the database directly, your users will be able to do that too.
To secure it you need to use specific read/write rules. Your best explanation will be from their documentation which can be found here https://firebase.google.com/docs/database/security

Firebase auth with "username" as provider

i have an angular app which uses Firebase authentication - email provider. Works just the way, application wants it.
Now, i have a new customer who wants to use the application. The only issue is that he is not keen on having email addresses / mobile numbers as login identity. He wants to create his own usernames for their users to login. the username will be a string something like:
md, accounts, branchmanager, customer_with_weird_requirements etc
for attacking this situation, i have two approaches in mind.
changing the provider to customauth provider, bring in jwt and have a back-end endpoint
making the user only enter the username and suffix a common domain url like #abc.com and mock an emailauth provider
the following are the problem i have using the approaches
the app is fully powered by firestore and its web sdks. i need to start a new cloud function for creating the endpoint. well, not difficult but for just one module, we have a architectural change which i am not a fan
not the ideal way to handle auth module. also, reset password will not work as the rest link will be sent to the user#abc.com which doesn't exist in the first place.
Is there any way to use the providers available in firebase auth, with maybe basic tweaking, which doesn't make your email/mobile no mandatory?
What you want is beyond what the built-in providers of Firebase Authentication can be configured to handle. You'll have to create you own provider to support you needs.
Keep in mind that Firebase has some great examples of how to build a custom provider, like this username/password provider.

determine if user in auth has firebase admin role

CONTEXT:
In firebase settings, there's a permissions tab. This shows the users/emails that are associated with accounts that have admin access to the firebase project and console.
I could have sworn I once saw a document describing a method or some way of checking if a user account in firebase auth is also an administrator of the firebase project.
I seriously can't tell if it was in a dream (yes I dream code) or if I actually saw it. I often work late nights and fall asleep in front of my computer.
Question: Is there any way to tell if a user is also an administrator of the firebase app?
IE the user email matches an email that’s listed in the IAM/access management section of firebase as an 'owner' role?
Im currently writing an admin panel for my app, so such a feature would be very useful.
If such a thing does not exist, can anyone suggest an alternative way to manage and authorise users that are capable of logging into the admin dashboard to have control over the app? I already understand custom claims so I will use them if no better solution is suggested.
Well, using only the FirebaseAuth through your app, I don't think you can (as far as my knowledge goes). But you can easily implement the Admin SDK to manage your Custom Claims. Basically, you can use the Admin SDK and find out which "role" you want to access.
Referencing Firebase
Custom claims can contain sensitive data, therefore they should only
be set from a privileged server environment by the Firebase Admin SDK.
and
Custom claims can only be retrieved through the user's ID token.
Access to these claims may be necessary to modify the client UI based
on the user's role or access level. However, backend access should
always be enforced through the ID token after validating it and
parsing its claims. Custom claims should not be sent directly to the
backend, as they can't be trusted outside of the token.
Once the latest claims have propagated to a user's ID token, you can
get them by retrieving the ID token.
Therefore, you'll only need the FirebaseAuth implemented on your app's (client), but will need an extra implementation using a server.
Please see the Firebase use cases, they'll probably fit your needs, and you can pick the one that is "easier" for you.
It turns out it can't do what I wanted in the first place because it's only available on certain triggers.
Here it is: context.authType
https://firebase.google.com/docs/reference/functions/functions.EventContext#.authType
The level of permissions for a user. Valid values are:
ADMIN Developer user or user authenticated via a service account. USER
Known user. UNAUTHENTICATED Unauthenticated action null For event
types that do not provide user information (all except Realtime
Database).
Although it would be great if we could get this information on callable functions and firebase triggers because it would help further secure hosted backend admin apps for customer service or developers, who have high-level access to admin functions. This variable seems to not be available on callable functions but is available on newUser trigger - which is strange, because how can user signup ever be authenticated anyway?

Possibility to manage all existing users with firebase simple login

I am using firebase simple-login in my angularjs-app.
Is there any possibility to manage all existing user accounts (not with forge console)?
An admin-user should be enabled to edit and delete these accounts.
When you allow (for example) Twitter users to log in to you Firebase application, all Twitter users can log in to your Firebase application. You can't directly control specific user accounts, unless you implement your own custom authentication.
What you do have control is over what those user accounts have (read and write) access to. You do this through Firebase's security rules. If you'd remove an accounts read/write access from all your data, you've essentially locked them out of your Firebase.
You can programmatically set the security rules through the REST API. See updating security rules through rest api.

How do I restrict signup to a product in Firebase

If I create a new product, use simple auth, there is a "create user" API. How do I restrict it so that only invited emails (either by the email or via a one-time key) can sign up? Doesn't seem to fit easily into the rules, but I am probably missing something.
First, I should point out that the core Firebase API uses JSON Web Tokens for auth, which you can generate yourself, so you have full control over the creation of user accounts and can restrict it however you like:
https://www.firebase.com/docs/security/custom-login.html
I'm guessing you're referring to our Simple Login service.
Simple Login is a service that provides some common login options. It has no way to restrict creation of new accounts. However, you can restrict what those accounts can do with Firebase. For example, you could set your security rules up so that only user accounts in some authorized list (in Firebase) are actually able to read or write data.

Resources