I'm using Firebase for a production level project and was wondering how I should write my security rules. I am using session-based authentication with my project, where a cookie is sent from the frontend (after a user has logged in) to the backend, and then the userID in the cookie is used to determine the permissions to the data of that user. The user logs in with a username and password, stored in the Users collection in Firebase (Cloud Firestore).
Because of this, I thought that users could only access data that should be available to them. However, I am not sure what Firebase security rules I should write. I thought that because I am authenticating users on my backend, I can allow anyone to read/write to the database, because permissions will be automatically monitored by the backend routes using the permissions stored based on the userID. However, Firebase docs say that I shouldn't do this because if anyone guesses the project ID, they will have full access to my database. What should I do? What security rules should I write?
Thanks!
Related
im maintaining an older react web-app that uses a firebase realtime-database to store its data. I want to restrict the access to the database, so that only my react app can read from and write into the database. Is there a way to set up an admin-like login (kinda like with sql-databases) to authenticate my application?
I don't want to authenticate other users or enable them to register, I just want to ensure that only the web-app can edit and modify the database.
I've tried to experiment with the firebase authentication-methods but they don't seem to be what im looking for.
Thanks in advance!
I don't want to authenticate other users or enable them to register, I just want to ensure that only the web-app can edit and modify the database.
That's not possible. The only way to control access to a Realtime Database instance (while allowing direct access from web and mobile clients) is using Firebase Authentication to identify users, in combination with security rules that determine which users can access which data. Otherwise, anyone with an internet connection will be able to read or write the database.
My organization is taking a look at the security of registered applications within Azure Active Directory (AAD) and have concerns around the ability of individuals to add client secrets and certificates for applications that are using the "application permissions" model. I'm working to help narrow the roles of individuals within the organization to restrict this, but this investigation begged the question of what a malicious insider could do if he or she could add a client secret to this application.
I've looked through the 30 Days of Microsoft Graph blog series, which is excellent, but wanted to clarify what else can be done to prevent an insider from gaining access to the permissions this application would allow.
Does the redirect URL itself protect against this kind of scenario, provided the organization retains control of all registered URLs (meaning, for example, that https://localhost isn't registered)? Based on this post under Step 3, I assume the answer is yes but wanted to make sure this is the case.
Is it technically correct to say that without the redirect URL being secured/owned by the organization, a malicious insider who could add client secrets could exploit the permissions granted by the application?
If you are able to add a client secret to an app that already has been granted application permissions to something, then this user can use the new secret to get tokens and access those resources as the app.
Redirect URL is not used with application permissions, only delegated permissions.
This is because there are no redirects in the client credentials grant flow, which is used when acquiring a token with app permissions.
It's just an HTTP request.
So you are correct in your assumption that being able to add a new secret to an app that already has permissions can be a security issue.
There are audit logs though, and I believe adding a secret/certificate is logged.
I am trying to create a React app where a user with "admin" role can create a new user in firebase.
The workflow would look like that:
normal login -> check userRole -> if admin: show createUserForm.
As far as I have read from the documentation, I would need an Admin SDK, but the problem is - how to implement it on client-side app? Has anyone gone through this process?
The Firebase Admin SDK should only be used in a trusted environment, i.e. a server you control or Cloud Functions. It should not (and cannot) be used in a client-side React app.
If you want to allow certain users of your React app to create accounts for other users, you'll want to move that part of the flow to a trusted environment where you can use the Admin SDK.
So the flow becomes:
Detect in the client-code whether the user is an admin (likely using a custom claim) and only show the form if they are.
Call a Cloud Function from your client with the input from the form.
Ensure the user calling Cloud Functions is authorized.
Create the user account in the Cloud Function using the Admin SDK.
As you can see this is quite involved. I highly recommend considering alternative use-cases, such as what it actually is that you want the admin to control. Once you enable a provider in Firebase Authentication, any user can create an account with that provider. Trying to control that from within your application code is just a recipe for problems. Often what you're actually trying to control is what a specific user account can do: e.g. only approved users can access certain data. Depending on where you store this data, that is much easier to control. For example: if you store the data in the Firebase Database, is is common to create a whitelist of approved users in such a case (or the inverse: a blacklist of banned users).
For different roles with there permissions example admin , moderator , user
All these roles have different permissions for accessing pages and functionalities
How can I implement this in frontend
I am using react redux as my front end
Access and Identity management are typically not features which are solely handled at the front-end.
Your user should authenticate itself against a back-end which then grants a role to your user (which you can then use to show features which are only applicable to this role). However to avoid users from using features they have no rights to, you should validate on the back-end every request they do.
This gives you the flexibility to change a user's role on the fly and invalidate their access to the application when necessary.
My legacy web forms app uses windows authentication to match up the incoming user domain\username against a custom user table. If they are registered the user Id is stored in a session variable and whenever a new shipment record is created by the user the shipment record is created with the session.userID (foreign key to the user table.)
In a nutshell mu criteria is:
Use windows authentication (no typing passwords)
Use bearer token's.
Persist the user id (primary key) from custom table to track user records etc..
Use Web api
Use EF 6
I would like to build a new Angular front end with web api 2.0 Entity Framework 6 but continue using my own user table rather that the new asp.net.Identity.
The main criteria for this intranet application was people didn't want to have to type user names and passwords, they wanted to just authenticate by the windows account. I cannot see any example of how to do this with Web API and bearer token. All examples are based around the Asp.net.Identity
I was planning on using vs2013 Webapi with the Windows Authentication Template but I am lost and cannot see any example's for Intranet apps where people do this.
I really like the idea of bearer token's and want to use then but with my own user table whilst ensuring that my user.id is used by EF when new records are created etc..
The method of authentication is determined by the web server hosting your application, not the application itself. I have done this several times myself for production-level Intranet business web applications. The setting(s) that make this happen is located in your application's web.config file. Get to know the settings in that file very well. It's important.
There are two terms to keep in mind and both have different meanings: user authentication and user authorization. You don't need some fancy framework to accomplish user authentication, given your requirements. Since you are relying on Windows Authentication against Active Directory, anyone who isn't on your company's domain won't be able to access the website, period. The authentication is handled automatically for you by the server (IIS, I assume). It's super simple. When you provision the site under IIS, just make sure that Windows Authentication is the only enabled form of authentication.
User authorization can be more granular. Even though a user may be authenticated, you still may not want them to have access. This is where your user table comes in to play. The process is rather straightforward. Once the user is authenticated by the server, the server stores their credentials into the User.Identity variable that you can access in your server-side code. You could then verify that the User.Identity.Name is in your table and generate a verification token or cookie to store on the client. In the same action, you could also send to the client the user's id. I'd store the token and the user id either in the client's sessionStorage or as a cookie. Then, for security protection, you could send this token on every server request. As long as the token is valid, the HTTP action is processed. Furthermore, when the user makes a PUT, POST or DELETE, include the user id in the request data.
Here are some helpful links:
Authentication and Authorization in ASP.NET Web API
Integrated Windows Authentication
Web API Security