whitelist a domain?

1,179 views
Skip to first unread message

Andy Kriger

unread,
Dec 10, 2016, 1:02:28 AM12/10/16
to Firebase Google Group
I am trying to understand Firebase authentication.

I have auth setup with Google as a provider
I have .read/.write rules on my database 
{
  "rules": {
    ".read": "auth.token.email.endsWith('@mydomain.com')",
    ".write": "auth.token.email.endsWith('@mydomain.com')"
  }
}

I use a GoogleAuthProvider popup to get a Google credential to sign into the database. However, this lets me pick an account different from mydomain and that gives me a credential anyways (i.e. the signInWithCredential method succeeds. However, requests for data will fail, which is what I'd expect.

Is there a way to prevent the signInWithCredential method from ever succeeding if the user isn't going to have access to the database because of the rules? Is there a way to whitelist domains in the Firebase console auth config so that a Google user from a different domain would never even be able to try to make a request because they would never have a credential? 


Kato Richardson

unread,
Dec 12, 2016, 1:01:10 PM12/12/16
to Firebase Google Group
Hi Andy,

The auth credential is not the same as granting access. The auth credential just verifies the user's identity. You need to do this, naturally, before you can decide if you want to give them access to anything. So what you're suggesting here is kind of a chicken-v-egg problem: You want to deny them access before deciding who they are; but, we need the uid to make any decisions via security rules.

Instead, I suggest you take a tact similar to the following:
  • Secure the database or portions of it based on auth.provider and auth.email as you've already implemented
  • Authenticate the user
  • If their token is valid, check it for a correct domain before your UI reports auth success
  • If the token is valid but the domain is not, simply have the UI call signOut() and report login failure (probably with a more useful message like: Oops, that's not a valid account for this app)
In this way, you provide a decent user experience, and there's no harm in the user obtaining an ID credential if they aren't on the correct domain, since they haven't been granted any access via security rules.

☼, Kato



--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d85e45b7-367e-47f1-8042-92956178a94f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Jacob Wenger

unread,
Dec 12, 2016, 1:02:17 PM12/12/16
to fireba...@googlegroups.com
Hey Andy,

You can do this via the setCustomParameters() method, as noted in this other thread.

Cheers,
Jacob

Reply all
Reply to author
Forward
0 new messages