How do we restrict Cloud Firestore for specific domain
6,757 views
Skip to first unread message
Pankaj Shukla
May 25, 2019, 11:10:09 AM5/25/19
to Firebase Google Group
Hi,
Is there a way to restrict Firestore read operations with certain domain like *.abc.com?
I need to have security that my web code can read data from a specific collection only for whitelisted domain.
Please help.
- Pankaj
Sam Stern
May 27, 2019, 11:29:37 AM5/27/19
to Firebase Google Group
Hey Pankaj,
In Firebase Auth you have to provide a "whitelist" of domains that your users can use to sign in. You can then use Firebase Security Rules to restrict database access to only signed in users. I think this will give you what you're looking for.
- Sam
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5b3f2556-50e0-456a-a102-0b1f74e9cdd7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Doug Stevenson
May 27, 2019, 5:03:46 PM5/27/19
to Firebase Google Group
Even with all this in place, I don't think there is really any way to prevent someone from taking their auth token and using that in their own web pages (for the hour that the token is valid). However, practically speaking, no one is going to do this unless they're putting in some serious effort to subvert the system you've set up.
Doug
On Monday, May 27, 2019 at 8:29:37 AM UTC-7, Samuel Stern wrote:
Hey Pankaj,In Firebase Auth you have to provide a "whitelist" of domains that your users can use to sign in. You can then use Firebase Security Rules to restrict database access to only signed in users. I think this will give you what you're looking for.- Sam
On Sat, May 25, 2019 at 5:10 PM Pankaj Shukla <pan...@gadgets360.com> wrote:
Hi,--Is there a way to restrict Firestore read operations with certain domain like *.abc.com?I need to have security that my web code can read data from a specific collection only for whitelisted domain.Please help.- Pankaj
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fireba...@googlegroups.com.
Pankaj Shukla
May 28, 2019, 10:20:21 AM5/28/19
to Firebase Google Group
Hey Sam,
Thanks for reply! Actually our use case is slightly diffrent we don't have login protected area so we can't have user login domain to authenticate using firestore auth security rule.
We need to broadcast data on our domains for all the users but wanted to restrict firebase client side script to only read data from our domain not others. Is there any work around for it?
Many Thanks
- Pankaj
On Monday, May 27, 2019 at 8:59:37 PM UTC+5:30, Samuel Stern wrote:
Hey Pankaj,In Firebase Auth you have to provide a "whitelist" of domains that your users can use to sign in. You can then use Firebase Security Rules to restrict database access to only signed in users. I think this will give you what you're looking for.- Sam
On Sat, May 25, 2019 at 5:10 PM Pankaj Shukla <pan...@gadgets360.com> wrote:
Hi,--Is there a way to restrict Firestore read operations with certain domain like *.abc.com?I need to have security that my web code can read data from a specific collection only for whitelisted domain.Please help.- Pankaj
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fireba...@googlegroups.com.
Daniel Ramer
May 28, 2019, 10:20:33 AM5/28/19
to fireba...@googlegroups.com
Disable the cookie for them or login to your browser as guest when visiting other sites.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/f79fccd2-0666-4f42-9372-57076a84f3ad%40googlegroups.com.
Doug Stevenson
May 28, 2019, 10:31:32 AM5/28/19
to fireba...@googlegroups.com
If you don't have security rules protecting your database using the user's identity (obtained from Firebase Authentication), then everyone in the world will be able to access your database's content via the Firestore REST API. So, if your rules allow access to any collections or documents without requiring auth, that access is granted to the world via that API.
If this isn't going to wok for you, consider setting up some sort of middleware that performs whatever checks you want, then authorizes the access based on that logic.
Doug
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/6OAb324aEI8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/dbd1c672-e7b1-4108-a4c2-bab0d4a6b8e4%40googlegroups.com.
Sam Stern
May 28, 2019, 12:12:23 PM5/28/19
to Firebase Google Group
Hi Pankaj,
You don't need the users to explicitly sign in. You can use anonymous authentication which can be done without any user interaction.
Sam
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/dbd1c672-e7b1-4108-a4c2-bab0d4a6b8e4%40googlegroups.com.
Jeremy Sistrunk
May 28, 2019, 2:46:40 PM5/28/19
to fireba...@googlegroups.com
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/f79fccd2-0666-4f42-9372-57076a84f3ad%40googlegroups.com.
IndianMan320
Jul 4, 2020, 10:56:36 AM7/4/20
to Firebase Google Group
Yes there is a way, simply go to the Authentication panel, go to the 'sign-in method' tab and scroll down to Authorised domains. After that, click on 'Add domain' on the top left corner and put in the required information, then change your rules to ensure that no other domain should be able to edit the values, so your database is locked to the domain, and you're safe.
Arthur Thompson
Jul 6, 2020, 12:16:19 PM7/6/20
to fireba...@googlegroups.com
Hi,
The short answer is "no". There is nothing built in to identify (or verify) the domain of a request. If you must take this route you will have to implement this via a Cloud Function where you have more access to the request information. Here are the docs that define the information available about requests via Security Rules.
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/8cb6557d-358e-47ce-8736-18f393efdc8bo%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages