I have a JS API that uses firebase internally for DB operations, API will be used on different website domains.
I need to restrict DB operations calls from authorized domains only.
I cannot restrict by UID as non signed user also need to access website.
I believe i need to figure out some way by anonymous user or else any better way, any suggestions ?
There is no way to restrict traffic to the Firebase Database to a specific domain or list of domains. Using Firebase Authentication is the only way to control access to your data.
Related
I'd like to restrict certain requests to whitelisted IPs.
The implementation seems easy enough; just store the user's IP as a custom claim
that can be checked against a whitelist using security rules.
How secure is a Firebase app layer firewall based on auth token claims?
Alternatively, should the problem be tackled by restricting access to certain oauth providers (Azure AD, Auth0) that provide conditional access controls such as IP and device whitelisting?
References
Context Object Properties in Rules
Conditional Access: Grant
Control Access with Custom Claims and Security Rules
Posting Frank's comment as Wiki for visibility.
Custom claims can only be set by users with administrator-level access to the Firebase project. So if a certain claim is set to a value, you can be certain it was set by an account with those access permissions. But it's hard to say more about how secure an implementation is going to be, because that depends almost solely on the implementation.
Background:
In my company, we have one firebase project which is linked to our iOS application and an internal tool(purely for our use and not the consumers). Now since the database is common to both the website and the iOS app, all the users who create an account on the iOS application automatically have access to our internal tool. I wish to allow only a handful of people or one person to have access to the internal tool.
Question:
Is there a way for me to give certain users access to the internal tool? (If it involves manually giving them access from the firebase console?)
Is there a way to make the user authentication check different for the internal tool?
Firebase Custom Claims let you specify custom access to database or tools.
You can specify an admin role to those users who should have access to the admin tool and make sure they have this role in your app's route (or route guard)
Is it possible to restrict access to a resource (i.e. index.html) depending on whether the user is logged in or not? Maybe something like .htaccess?
No. Firebase hosting doesn't implement access control to static resources.
Also see the discussion in the comments of this question: Firebase route security without AngularFire
There's new info on this:
https://firebase.google.com/docs/hosting/functions
(example:
https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint )
You should be able to use a Cloud Function to restrict access to content (which is server-side authenticated and generated).
I have a firebase web app calling my Python API.
the user who is using my app does not need to login to use it but I still need to make sure that this request coming from my application
How can I verify the identity of the app sending the request?
There is no way to enforce that calls can only come from your application. In a database that is directly accessible from the internet, that is simply not possible. Anyone who can use your web app, can take the configuration data from that app and use the Firebase API to make their own calls.
That's why it's important that you enforce all business rules that you have for your database in Firebase's server-side security rules too. You can use these to enforce data structure, and (when combined with Firebase Authentication) ensure that all data access is authorized.
You can use Firebase Authentication without requiring your users to enter credentials by using anonymous authentication. This essentially gives your user a unique ID, that you can then use to identify that user (and the data they create) in security rules.
"Authentication requests to Firebase Simple Login are only permitted from domains you specify." and the two default domains are "localhost" and "127.0.0.1".
Let's say that my server's IP is "267.156.423.22". How do I setup my security rules so that that the two first domains can read specific data, but only the server can write it?
For example, if a client purchases a product, this fact and associated data needs to be noted on the client's account in the Firebase. For obvious security reasons this information must be 'writeable' by the server only.
The authorized domains configuration for Firebase Simple Login applies solely to OAuth-based authentication providers (Facebook, Twitter, and GitHub), and restricts requests to those origins in the browser.
That means if you're using one of those OAuth-based authentication providers, you'd want to enter in any origins which your end users will use to access the page (i.e. if your user accesses the page via subdomain.example.com, that'd the be origin to enter).
Keep in mind that Firebase Simple Login is built on top of that standard, one-size-fits-all custom login / token generation in Firebase. It is an abstraction layer intended to make it easy to generate Firebase Auth. Tokens, a secure way of sharing data between you and Firebase.
Once a token has been generated (via Simple or Custom login), you can begin using that token's payload in your security rules (via the auth variable). If you'd want your server to bypass security rules, simple generate a token with the admin privilege, or your Firebase secret. See https://www.firebase.com/docs/security/security-rules.html for more details.