I am trying to secure some pages behind firebase auth -however every time I try open them - I seem to be able to browse to them. Even when I follow the documentation.
I can't seem to find anyway to restrict the page to be accessible only to authorized users.
Any idea how best to approach this?
Edit: Looks like its not supported directly without building a lot of custom code. It would be brilliant if they can support a simple htaccess file or similar. - Here is a link to post feature request
https://firebase.google.com/support/contact/bugs-features/
All static content (HTML, CSS, JS, and other files) published to Firebase Hosting is publicly accessible if you know the URL. There are no authentication controls you can easily configure to change this behavior.
If you need to protect content, you could set up some code via Cloud Functions that checks the user's authentication and serves the content based on its decision.
I suggest saving needed secret part of HTML/JS in Firestore with security rules and dynamically upload it to page after auth.
Related
This question already has an answer here:
Cant get Firebase Storage security rules to refuse access to a file
(1 answer)
Closed 2 years ago.
this might be a very stupid question but I need to ask since I'm not very good with security, authentication etc. When I upload an image to Firebase Storage with an authenticated user in my React app the files get shown in the Storage dashboard. My security rules show that only authenticated users can write and read data. However when I click on an image it opens in the web browser with a link. So my questions is, how secure is that. I see that there is an access token but I'm not sure what is its role. Is it that only users with this token can access files? And by default authenticated users have it?
Please help
Thank you
If you generated a "download URL" using the Firebase SDK, that URL will bypass security rules entirely. It is considered an "unguessable, shareable" URL. If this isn't what you want, then don't generate and share a download URL. You will have to make people use your app to download the content using the SDK.
If you building a web app, you don't have much an alternative, as you need a download URL to populate an img tag that they can see.
Is it possible to create website using AMP pages that can be hosted over Firebase hosting..?
If yes, is that possible to create dynamic AMP pages that can add & fetch data to/from Firebase Firestore..?
If yes, please explain how is that possible..?
AskFirebase
Thanks!
Yes, it is possible. You can generate AMP compatible templates that are served over firebase hosting, or via an https triggered firebase function.
Firebase functions hosting documentation: https://firebase.google.com/docs/hosting/functions
Your firebase function can dynamically fetch and serve data from Firestore / Realtime database. You can also implement caching so that static html is served from a CDN.
Creating an AMP page from scratch:
https://www.ampproject.org/docs/tutorials/create/basic_markup
Just follow the AMP guide to ensure your code structure and syntax is correct.
Obviously this answer is very simple compared to implementation, but hopefully that gives you some direction and an idea of what is possible.
Server Side Rendering Tutorial
Google has a video series on server-side rendering with Firebase, I highly recommend it: https://www.youtube.com/watch?v=nbTn1czE2L8&list=PLl-K7zZEsYLkbvTj8AUUCfBO7DoEHJ-ME
We are currently trying to use Concrete5 to create an internal Intranet for the company I work for (this is a web-based server). What we would like to do is allow our employees to sign in using their Gmail and be able to see their personal calendars amongst other things on sign in.
I would like the employees to just sign in once, get automatically asked for granting permissions during the login, and then be taken to the home page.
I'm having trouble figure out how to modify Concrete5's built-in Google login to request these scopes. I am pretty bare-bones in my PHP knowledge and no amount of Google searching has really answered my question specifically for modifying the authentication for Concrete5.
So to sum up my question:
How would someone go about modifying Concrete5's Google authentication to request additional permissions? We are using 5.8.3 and are always updating as necessary, so modifying the core is not really an option to prevent overwrites in the future.
The best way to do that would be to copy the core Google login system to create a new one. You could call it Google Custom or anything you want. You could include it in the folder application/authentication or in a package, with the appropriate modifications.
But to be honest, if you're bare-bones in your PHP knowledge, it all might be a bit too difficult to achieve
I've set up af headless WP with a ReactJS frontend. My idea is to use the WP backend to store and manage content that users create. I want people to be able to sign up and login to my site, and create their own content. But my problem is, that I need a guide/tutorial how to do is. Should I use the JWT authentication plugin and how do I create users (does not have to be WP users)?
Any ideas?
Thanks Kasper
First you must create WordPress users as the WordPress code checks the capabilities of the current user to allow write access to its data. WordPress supports a REST API that allows front end JavaScript to access its data. It by default uses cookie authentication to control access. However, there are actions/filters so you can implement your own authentication. If you use the default cookie authentication then you can use the WordPress login facilities to handle authentication. The supported JavaScript client is a Backbone client. I don't know if that will work well with ReactJS (I don't know ReactJS) so you may need to some work with the front-end client side.
Incidentally, the WordPress Calypso project uses a ReactJS frontend to access the WordPress backend. I don't know this project so I don't have an opinion. My feeling is that WordPress decided on Backbone before ReactJS became well known but ReactJS is actually much better so they have the Calypso project. You can read that code to get ideas.
I am trying to secure some pages behind firebase auth -however every time I try open them - I seem to be able to browse to them. Even when I follow the documentation.
I can't seem to find anyway to restrict the page to be accessible only to authorized users.
Any idea how best to approach this?
Edit: Looks like its not supported directly without building a lot of custom code. It would be brilliant if they can support a simple htaccess file or similar. - Here is a link to post feature request
https://firebase.google.com/support/contact/bugs-features/
All static content (HTML, CSS, JS, and other files) published to Firebase Hosting is publicly accessible if you know the URL. There are no authentication controls you can easily configure to change this behavior.
If you need to protect content, you could set up some code via Cloud Functions that checks the user's authentication and serves the content based on its decision.
I suggest saving needed secret part of HTML/JS in Firestore with security rules and dynamically upload it to page after auth.