I have been testing the Xively APIs "List All Products" and "List All Devices".
Using a Master key with only read permission and no private access, the lists contain private products, devices and feeds. For activated devices, the lists have the default feed keys with private access and read, create, update, delete permissions.
A master key with no private access can list private objects.
A master key with only read permission returns feed keys with full permission.
Is this the intended behaviour?
This is no longer the case. As far as I can see, these APIs now require a master key with private access and read, update, create and delete permissions.
Related
I want to generate a new private key from firebase to use the database APIs that firebase provides. When I click on get new private key to download the private key, I get this message:
Failed to generate a private key. Please try again in a few minutes.
How should I proceed to get the new private key now?
Why is this happening, Do I have the permissions to download the new private key?
(I am a viewer to the firebase project)
if you create so many service account keys in the past
delete them.
Go to https://console.cloud.google.com/iam-admin/serviceaccounts
click the firebase-adminsdk-[some string]#[project name].iam.gserviceaccount.com
Click keys
delete all old keys
you should be able to create new keys now
VIewer does not have the permission iam.serviceAccountKeys.create which is required to create service account keys.
You must add a role to your identity that contains that permission such as roles/iam.serviceAccountKeyAdmin
Service Account Roles
Project Viewers don’t have the access to manage the Service Account
Private keys. This is the reason you got that message when you tried
to create a private key. As mentioned in this documentation, you
should have the Service Account Key Admin role
(roles/iam.serviceAccountKeyAdmin) to manage the Service Account
keys.
The Service Account Key Admin role alone is sufficient to create a
Private Key. But without the Project Viewer Role you won’t be able to
view the page to create a Private Key from the Firebase Console. So
please ask the Project Owner or someone who has the access to grant
IAM Roles on the Project to grant you the Service Account Key Admin
role in addition to the Project Viewer role.
If your Chrome browser has an update pending, Firebase throws this message. Update your Chrome and retry, it should work.
Initial situation:
I am developing an app (iOS, Android, Web App) that primarily uses
Firebase Auth Email & Password to authorize my users and manage permissions.
There are complex configuration options for the security and
access settings that can be individually set for each user. There
are also premade roles (e.g. admin, manager, etc.). However, these
are only templates and don't need to be used by the person who
manages the user accounts. The permissions can be customized for
each user and the whole application.
My approach:
Using Firebase Auth custom claims
Because of the very customizable permission model, I thought of
giving every permission a number like this:
2000: Calendar (Full access)
2001: Calendar (View access)
2002: Calendar (Create access)
2003: Calendar (Edit access)
2004: Calendar (Delete access)
Then I thought it would be a great idea to store the permissions
that are true as a boolean (because of the smaller size than an
Integer) in the custom claims of the user like this:
// User with permissions to view the calendar, create and edit events but not authorized to delete:
'claims': {
'2001': true,
'2002': true,
'2003': true
}
// User with full access to the calendar
'claims': {
'2000': true
}
The permissions are also stored in Firebase Cloud Firestore.
Cloud Firestore
> users
> [unique_user_id]
> permissions
Checking permissions on the clients side
When the user opens the app, on the first load the system performs two
reads to Firebase Cloud Firestore to retrieve all of the current
metadata to set the app up properly. This data is saved locally. It
contains metadata to display everything correctly and also the user's
permissions. This way the UI is already preventing the user from
accessing content that should not be visible or taking actions
(create, edit, delete).
Checking permissions on the server-side via security rules of Firebase Cloud Firestore
Because client-side operations might be manipulated by the user or the
permissions of an individual user change while the user is using the
application, there need to be some advanced security instruments that
improve the overall safety of the application. This should be done on
the server-side via Cloud Functions and the security rules of Firebase
Cloud Firestore.
A security rule could look like this:
service cloud.firestore {
match /databases/{database}/{project_id} {
match /calendar/{event} {
allow read: if request.auth.token.2000 == true || request.auth.token.2001 == true;
allow write: if request.auth.token.2000 == true || request.auth.token.2002 == true;
allow update: if request.auth.token.2000 == true || request.auth.token.2003 == true;
allow delete: if request.auth.token.2000 == true || request.auth.token.2004 == true;
}
}
I could do all of this also with a Cloud Function that checks the
user's permissions before every action to the database. However, this
would result in another read for the permission of the user for every
action that was performed. This would result in a higher amount on my
Firebase bill. I try to avoid this!
Question
What do you think about this, is there a better solution for it? I am not sure if this is really it.
I also use Microsoft as a provider to authorize the user instead of creating a new account. Will this also work with those thate sign in via Microsoft?
I was trying to do something similar in my app. The problem you will find is the limit on the size of custom claims, 1000 bytes, which can be consumed pretty quickly.
One solution is creating a helper function in Firestore rules to check requests against the information you have stored for each user in the permissions subcollection. Of course, you will also have to restrict write access to those subcollections.
So, what I want to do is for users to upload their positions to Firebase under a known key (so that the uploader can update his position), but anonymously.
When I use .push(), I do get a "unique" key, but I can't get the reference to update the position later.
If I use an uid, users are going to have access to other user's uids and I'm afraid this could be a security breach. (I'm not sure if uids are very relevant security-wise).
What can I do to post anonymous positions and update these fields later?
Firebase Authentication UID strings are not intended to be secure or private. The only security is provided by security rules on the data you wish to protect. If one user knows another user's UID, they don't know the identity of the person on the other side, unless you manage to leak that data by failing to protected it correctly with security rules. So be sure to define what your access rules should be, and implement them accordingly.
If you want to use a push id for any reason, just be sure to store that unique string somewhere so you can use it later to construct a ref to the path where it was added.
Let's take a simple example.
We have the /users node, protected by a rule per user.
Then we have the /movies node and each user that watched a movie, the app will add the userid to this movie.
Since users can write to /movies, how can I protect a malicious user from ref.remove() it? I can solve it by adding the movie to the /users/$user and then create a FB function to add it to /movie. Feels strange.
Simply put, how to protect public areas?
Since an authenticated user can write into his area under /users, how do I set quota to prevent malicious user from consuming all my bandwidth, storage, etc?
I am new to Xively and I am using a free account on Xively. I want to create a simple application to access the public data feed data from Xively, but it seems that I need an API key to access this public feed. Can someone help me to create/get this key?
thanks,
What ratata said is correct. You can access the Xively public feeds with any valid master API key. In fact to read public feeds, all you need is 'read' permissions on the key.
Mouse over 'Web Tools' -> Settings -> Master keys -> Add master key
After you logged in to xively.com. Go to settings - master keys than you can add master key.
Do not forget to set the permissions for read, write ...