I currently have admin users which have a email password login using firebase auth. These admin users have read and write access as set in security rules. I want to give the admin the ability to dynamically create subusers with limited access i.e with only read access for a certain node in firebase database. This node is not public accessible, I want to limit it to this admin and it's subusers.
My thought : is to generate secondary users username and password myself. And use that to do a basic custom Auth using firebase functions and add custom claims such as Admins UID so I can use that for security rules to give read permission for the Admin Node Only and another {sub-user: true} claim to the client to render subuser ui instead of the Admin UI.
If there is another method to achieve creating sub-accounts more efficiently, please suggest so.
Related
I am creating an app for a client working in advertising for artists.
This app consists in a dashboard supposed to display several informations plus the artist's name.
I'm using Firebase to provide my client a simple interface to add the artists accounts to a database, but I would like him to set their name, ideally without implementing a back-office.
Is there any way to add a displayName to a Firebase Auth User without code, hence directly with the website interface ?
No, there isn't way to change user's displayName in Firebase Auth object and only the user can change their name using the client SDK. You would have to use Admin SDK using Cloud functions or a server to do that.
You can however update the name in database and make sure the user trying to update the name is authorized by using Custom Claims or storing their UID in database and checking that in security rules.
One hack would be to check if user's name in database matches the name in Firebase Auth object. If not, run a function which will update it.
I have an app that lets users sign in via email and password. The app has a feed with posts that need to be moderated. I have an admin react website that lets the moderators remove or keep posts. Right now any user can login and see the content, however I wanna make the login only available for admin users. I made my account "admin" using Admin SDK of Firebase.
I was thinking to make a Cloud Function which verifies whether the email is an admin and return true or false accordingly. Then authenticate the user normally using Firebase Auth. Is this secure enough?
If you've set a custom claim marking the user as an application administrator, you can check in your client-side code for the presence of that claim. You can then use the result of that to show the correct UI.
On the server/in the database security rules, you'll also want to check the presence of this admin claim before allow the user to access/modify the moderator data.
Note that none of these prevents the users from authenticating. Authentication in Firebase is nothing more than entering your credentials to prove that you are you. Granting access to resources based on who you are, known as authorization, is up to the application, hence including it in your client-side code, and server-side code or security rules.
I am new to firebase and trying to use firebase authentication, along with firestore database. It looks like all the security lies in rules we set, however I want to know the following:
Is it possible to apply rules based on user authentication without using firebase authentication system ?
How can I make sure that the users are only created through my application ? Would anyone with my firebase credentials (Which are easily exposed in browser) be able to add users to the database ? I understand that there is no domain based locking on firestore, but is user creation atleast domain based ?
Thanks!
Firebase Authentication is the only way to populate the request.auth variable in security rules. So if you want to secure based on a user, you'll need to create that user in Firebase Authentication.
You can however:
Use anonymous authentication to generate a UID for users, without requiring them to enter credentials.
If you have an existing sign-in system, you can hook that up to Firebase Authentication as a custom provider. This would then make your user details available in request.auth in the security rules.
To lock access to your Firestore database down to users from a specific domain, you'd use something like this in your security rules:
request.auth.token.email_verified &&
request.auth.token.email.matches(".*#google.com")
So this only allows access once a user has verified the email address in their profile, and if that email address is from he given domain.
I am using firebase simple-login in my angularjs-app.
Is there any possibility to manage all existing user accounts (not with forge console)?
An admin-user should be enabled to edit and delete these accounts.
When you allow (for example) Twitter users to log in to you Firebase application, all Twitter users can log in to your Firebase application. You can't directly control specific user accounts, unless you implement your own custom authentication.
What you do have control is over what those user accounts have (read and write) access to. You do this through Firebase's security rules. If you'd remove an accounts read/write access from all your data, you've essentially locked them out of your Firebase.
You can programmatically set the security rules through the REST API. See updating security rules through rest api.
If I create a new product, use simple auth, there is a "create user" API. How do I restrict it so that only invited emails (either by the email or via a one-time key) can sign up? Doesn't seem to fit easily into the rules, but I am probably missing something.
First, I should point out that the core Firebase API uses JSON Web Tokens for auth, which you can generate yourself, so you have full control over the creation of user accounts and can restrict it however you like:
https://www.firebase.com/docs/security/custom-login.html
I'm guessing you're referring to our Simple Login service.
Simple Login is a service that provides some common login options. It has no way to restrict creation of new accounts. However, you can restrict what those accounts can do with Firebase. For example, you could set your security rules up so that only user accounts in some authorized list (in Firebase) are actually able to read or write data.