excited about Firebase, my admins must use multi-factor login for the account dashboard (policy issue). Is this possible? Is it a setting I can't find? Can I login to account dashboard using Google (and thus force mult-factor)?
Disclaimer: I work for Firebase
Firebase's log in system is separate from Google's and does not offer two-factor auth. We are looking to enhance this, but currently these are constraints.
If you want your application administrators to go through a more stringent log in process than Firebase allows for its account dashboard, you might want to consider setting up an application-administration dashboard. This is just a separate section of your application that you build. So that also means you have full control over the access mechanism, through a custom token generator.
Related
I am making an admin tool page to allow admins to change users email for when they change or set their account to deactivate so they can not access the site anymore. Everything I have looked at seems to be using 'CurrentUser' but this will not work due to the fact they will be logged in as themselves which is marked as Admin level so they have access to the tool. So is there any way to change a users email for authentication without logging in as them?
If the Firebase Authentication client-side SDKs had an API that allowed you to change the email address of anyone but yourself that'd be a major security risk.
This is the reason an API to update any user by their UID only exists in the Admin SDK, which can only be run on a trusted environment as it requires full administrative access to your project.
If you want to expose this functionality to specific users of your app, you'll have to wrap the relevant call of the Admin SDK into a custom endpoint that you then call from the app. Just make sure to check that the user is authorized, before changing some other user's account.
I am using Firebase Auth to authenticate users using the Email/Password Method. Sometimes I detect spam users that create a lot of accounts from one IP address. I want to block them to protect my app.
I know that there is a method called "Disable User Account" in Firebase Console. I want to use it in my project.
I searched in Stack Overflow as well as the Firebase Docs and found that this only can be done in Admin SDK but I want to use it in the Firebase Web JS SDK. So is there a method to do that like user.DisableAccount?
There is no method to disable a specific user's account in the client-side Firebase SDKs, as that would be a security risk.
But if you look at the documentation for updating a user with the Admin SDK, you'll see there is a property disabled that you can set to true.
From that moment in, that user won't be able to sign in or refresh their ID token. Their existing ID token is still valid though, and by default, that means it may take up to an hour for them to get signed out of your app. If that interval is a concern for your use case, have a look at the documentation on managing user sessions, specifically the section on detecting ID token revocation. While more work, this allows you more granular control of the expiration of the token.
I am using Firebase test lab to automate ui test.
Is there any possible way to login my own test account instead of test account ?
It seems that Firebase support custom login but not work for me.
Custom sign-in: If you provide test account credentials, you need to
tell Robo test where to enter them, and also provide those
credentials.
Thanks
If you require a Google account to log in, your only option is to allow Robo to use its own account.
If your app allows some sort of custom username/password login using form fields that you created yourself, then you can arrange for those values to be entered by configuration, as the documentation is saying. This is not going to be a Google account.
CONTEXT:
In firebase settings, there's a permissions tab. This shows the users/emails that are associated with accounts that have admin access to the firebase project and console.
I could have sworn I once saw a document describing a method or some way of checking if a user account in firebase auth is also an administrator of the firebase project.
I seriously can't tell if it was in a dream (yes I dream code) or if I actually saw it. I often work late nights and fall asleep in front of my computer.
Question: Is there any way to tell if a user is also an administrator of the firebase app?
IE the user email matches an email that’s listed in the IAM/access management section of firebase as an 'owner' role?
Im currently writing an admin panel for my app, so such a feature would be very useful.
If such a thing does not exist, can anyone suggest an alternative way to manage and authorise users that are capable of logging into the admin dashboard to have control over the app? I already understand custom claims so I will use them if no better solution is suggested.
Well, using only the FirebaseAuth through your app, I don't think you can (as far as my knowledge goes). But you can easily implement the Admin SDK to manage your Custom Claims. Basically, you can use the Admin SDK and find out which "role" you want to access.
Referencing Firebase
Custom claims can contain sensitive data, therefore they should only
be set from a privileged server environment by the Firebase Admin SDK.
and
Custom claims can only be retrieved through the user's ID token.
Access to these claims may be necessary to modify the client UI based
on the user's role or access level. However, backend access should
always be enforced through the ID token after validating it and
parsing its claims. Custom claims should not be sent directly to the
backend, as they can't be trusted outside of the token.
Once the latest claims have propagated to a user's ID token, you can
get them by retrieving the ID token.
Therefore, you'll only need the FirebaseAuth implemented on your app's (client), but will need an extra implementation using a server.
Please see the Firebase use cases, they'll probably fit your needs, and you can pick the one that is "easier" for you.
It turns out it can't do what I wanted in the first place because it's only available on certain triggers.
Here it is: context.authType
https://firebase.google.com/docs/reference/functions/functions.EventContext#.authType
The level of permissions for a user. Valid values are:
ADMIN Developer user or user authenticated via a service account. USER
Known user. UNAUTHENTICATED Unauthenticated action null For event
types that do not provide user information (all except Realtime
Database).
Although it would be great if we could get this information on callable functions and firebase triggers because it would help further secure hosted backend admin apps for customer service or developers, who have high-level access to admin functions. This variable seems to not be available on callable functions but is available on newUser trigger - which is strange, because how can user signup ever be authenticated anyway?
Maybe I wasn't searching the documentation properly, but what is the recommended standard way of treating authorisation levels/classification for admin users in firebase?
Let's say in classic admin user scenario, where admin should have the access to all user accounts while normal authenticated users have write access to only specific objects.
I came accross this post but the solution using firebase secret is not good enough in this case. Firebase secret is meant to be used by server and setting up the extra server authenticating admin users and talking to firebase is certainly the option, but the complexity and programming overhead is increased.
The better option is using the security rules. Question here is - Does not this generate an extra overhead for each single read/write operation? The number of general users could be in millions while there is only handful of admins. Secondly you do not want non admin to be authenticated by management tool even though they will not be authorised to do anything.
Third option - however I don't know how would I achieve this - limit authentication to admin interface webapp only to specific admin users or set the limit for the specific domain. Let's say only {name}#myappadmin.com will be allowed to be authenticated thus I will not need to do the authorisation check before each operation. Is this even possible using only Firebase as backend?