firebase rules

[Peter Driessen]

Hi all, 

I'm using authWithCustomToken on trusted devices for client side javascript and I'm now adding GoogleAuthProvider for a webapp. When I authorize trough google, my account is added automatically. I have two question:

1. How can I disable new people for authorizing? I only want to allow certain google accounts.

2. How to set up rules so only specific uids and the authWithCustomToken have access. 

Regards, Peter

[Jacob Wenger]

Hey Peter,

Here are some example rules that might spur some ideas for you:

".read": "auth.token.email.endsWith('@gmail.com')"  // only allow @gmail.com address to read this node

".write": "auth.token.email === 'f...@bar.com'"  // only allow f...@bar.com to write to this node

".read": "auth.uid === 'someuid' || auth.uid === 'otheruid'"  // only allow users with uid's of "someuid" or "otheruid" to read this node

Re: stopping people from authorizing. You cannot prevent them from logging in, but you can prevent them from doing anything like reading or writing with the use of Security Rules like you see above.

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c0548f59-8314-43e5-b000-6ed99b0ab615%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Peter Driessen]

Hi Jacob, 

Thanks for your reply.

"auth.token.email === 'f...@bar.com'" is what I am looking for, for the email part.

But what about the custom authentication with the api-secret? They don't have a uid. How can I add only them in the rules?

".write": "auth.token.email === 'f...@bar.com'" || auth.custom token or something?

Regards, Peter

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/Y0uoQyX-lug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAGcMwsCUGy0dP2FAUPimuCm8CkiFXFPxspEBCwoXB9ee%2Bh7j3Q%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Met vriendelijke groet,

Peter Driessen

[Peter Driessen]

[Peter Driessen]

Hi Jacob, 

I found this in the documentation:

Using a Firebase app secret: All authentication methods can accept a Firebase app secret instead of a JWT token. This will grant the server complete read and write access to the entire Firebase database. This access will never expire unless it is revoked via the App Dashboard.

So whatever rules I'm using, with the app secret I always have access to the entire database. 

Thanks a lot! 

[Jacob Wenger]

Hey Peter,

It looks like you are using the 2.x.x SDKs. Whenever you authenticate with a secret, you do get admin rights and ignore all read, write, and validate rules. This is rarely what you want and typically over-powers your server. Instead, you should mint a custom token via one of our token generators and assign a unique uid (like "my-server") to that token. Then, you can use that token in your call to authWithCustomToken(). This way you can reference it in rules via auth.uid.

If you want to migrate your project and use the new 3.x.x SDKs on your server, you would no longer use secrets and instead would follow the instructions here.

Cheers,

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CALfu2Qt%2BFnznG9_WNaF-fP9eeYTkzioPaNobTuiWg%3DUNWCsgYA%40mail.gmail.com.

[Frank van Puffelen]

A small addition to these rules (because people might copy paste them in a different context), I would recommend also ensuring that the email address is verified:

".read": "auth.token.email.endsWith('@gmail.com') && auth.token.email_verified == true"