Firebase security rules - hash functions

[Michael G]

Hi,I would like to validate that an authenticated user's email is the only one accesses its directory. I would like  to store in the DB only hash of users email and validate it in the rules.

for example:

root

  |-----sha(a...@a.com)

  |-----sha(b...@b.com)

and then validate in security rules that only sha(auth.email) can access its directory.

Is there a way to do it somehow? 

[Doug Stevenson]

Typically you use the uid of the authenticated user to authorize access to parts of the database.  The database would use the uid as an organizer, so it would be present as the name of a node (in Realtime Database) or document (in Firestore) that you can easily find.

Email addresses can change over time, but the uid always stays the same for a given user account.  Is the uid sufficient, or do you really need to use email address?  If you do need email address, could you explain your use case?

Doug

[Michael G]

Thanks for your reply, the use case is as following:

I have App-A and App-B and I want them to communicate through firebase, but App-A decides which users of App-B will be able to do it. So App-B users sign up/in using email sign in and I don't know beforehand their uid to create the DB before.

So one option is to save App-B available contacts under directory, and to define permissions I use the email address as identification, but I wouldn't like to store the emails in order to avoid PII saved in my DB so I'd rather save the hash of the email.

[Doug Stevenson]

OK, we've been talking about that use case internally.  There are no hashing functions available currently with security rules, but it certainly could be implemented without too much trouble.  We can't offer you anything else right now other than "stay tuned".  Please feel free to submit a feature request in the meantime.

Doug

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/tt9tCfoFY4g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c0cfee92-df5c-4759-a5ca-05833301daa1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[scottc...@google.com]

Hi!

Checkout the `hashing` package I added. For Cloud Firestore you can now write rules like `docId == hashing.md5(request.auth.uid.toUtf8()).toBase64()`

On Friday, January 18, 2019 at 12:18:59 PM UTC-8 Doug Stevenson wrote:

OK, we've been talking about that use case internally.  There are no hashing functions available currently with security rules, but it certainly could be implemented without too much trouble.  We can't offer you anything else right now other than "stay tuned".  Please feel free to submit a feature request in the meantime.

Doug

On Fri, Jan 18, 2019 at 7:17 AM Michael G <mic...@gmail.com> wrote:

Thanks for your reply, the use case is as following:

I have App-A and App-B and I want them to communicate through firebase, but App-A decides which users of App-B will be able to do it. So App-B users sign up/in using email sign in and I don't know beforehand their uid to create the DB before.

So one option is to save App-B available contacts under directory, and to define permissions I use the email address as identification, but I wouldn't like to store the emails in order to avoid PII saved in my DB so I'd rather save the hash of the email.

On Thursday, January 17, 2019 at 11:15:42 PM UTC+2, Doug Stevenson wrote:

Typically you use the uid of the authenticated user to authorize access to parts of the database.  The database would use the uid as an organizer, so it would be present as the name of a node (in Realtime Database) or document (in Firestore) that you can easily find.

Email addresses can change over time, but the uid always stays the same for a given user account.  Is the uid sufficient, or do you really need to use email address?  If you do need email address, could you explain your use case?

Doug

On Thursday, January 17, 2019 at 7:23:50 AM UTC-8, Michael G wrote:

Hi,I would like to validate that an authenticated user's email is the only one accesses its directory. I would like  to store in the DB only hash of users email and validate it in the rules.

for example:

root

  |-----sha(a...@a.com)

  |-----sha(b...@b.com)

and then validate in security rules that only sha(auth.email) can access its directory.

Is there a way to do it somehow? 

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/tt9tCfoFY4g/unsubscribe.

To unsubscribe from this group and all its topics, send an email to firebase-talk+unsubscribe@googlegroups.com.