im maintaining an older react web-app that uses a firebase realtime-database to store its data. I want to restrict the access to the database, so that only my react app can read from and write into the database. Is there a way to set up an admin-like login (kinda like with sql-databases) to authenticate my application?
I don't want to authenticate other users or enable them to register, I just want to ensure that only the web-app can edit and modify the database.
I've tried to experiment with the firebase authentication-methods but they don't seem to be what im looking for.
Thanks in advance!
I don't want to authenticate other users or enable them to register, I just want to ensure that only the web-app can edit and modify the database.
That's not possible. The only way to control access to a Realtime Database instance (while allowing direct access from web and mobile clients) is using Firebase Authentication to identify users, in combination with security rules that determine which users can access which data. Otherwise, anyone with an internet connection will be able to read or write the database.
Related
I'm using Firebase for a production level project and was wondering how I should write my security rules. I am using session-based authentication with my project, where a cookie is sent from the frontend (after a user has logged in) to the backend, and then the userID in the cookie is used to determine the permissions to the data of that user. The user logs in with a username and password, stored in the Users collection in Firebase (Cloud Firestore).
Because of this, I thought that users could only access data that should be available to them. However, I am not sure what Firebase security rules I should write. I thought that because I am authenticating users on my backend, I can allow anyone to read/write to the database, because permissions will be automatically monitored by the backend routes using the permissions stored based on the userID. However, Firebase docs say that I shouldn't do this because if anyone guesses the project ID, they will have full access to my database. What should I do? What security rules should I write?
Thanks!
I am looking to fetch lastSignInTime for all users by using the UID of the users.
I am using react.js
I have attached a screenshot of it so that you will have an idea of what I am looking for.
Hope, you guys help me out with this.
There is no way to access profile information about other users than yourself from within the client-side SDKs of Firebase Authentication.
If you need such information in your app, the two main options are:
Write the information to a cloud-based database (such as Firebase's own Realtime Database or Firestore) when they sign in, and read it from there.
Use the Admin SDK to access this information for all users in a trusted environment, such as a server you control or Cloud Functions. From there you can then expose the information to your ReactJS application as a custom API.,
In both cases, be sure to take care of securing access to the information, by limiting the amount of data you expose and who can access it.
I am currently working on a react application, and have a database of customer information. I want to turn that information into accounts, and was wondering if Firebase will work for this? I don't want to have to store passwords, or deal with accounts, so I just want current customers to be able to log in with google / facebook. Will Firebase be able to link into my current PostgreSQL db, or how would that work?
There are NPM modules for this that I have been looking into, however I was wondering if Firebase is a better option for this. Also, what would the limitations of a free Firebase account be?
Firebase Authentication has no built-in connection to PostgreSQL.
But if you have a trusted environment where you can run code (like your development machine, a server you control, or Cloud Functions for Firebase), you can use the Firebase Admin SDK to verify the token from Firebase Authentication. For more on this approach, see the Firebase documentation on verifying ID tokens.
Im searching solution about authentication.
I found IdentityServer and Im trying understand how it works.
In my case I need to check user exist in another app.
I have old project created in asp.net web froms and this project have a users collection stored in db.
Now I must create client who will be call to WebApi and in this WebApi I need to authenticate user. I want to do this using IdentityServer4. Can I in IdentityServer call to my old application or db this application and check user by custom method?
In future I want connect another application to IdentityServer and this new application should have users in IdentityServer, so I will be have two places where I will have users for two application. I need to be sure I can check user exist in this two ways.
When request will be form new app IdentityServer should check user in his db and if request is from client who will be call to old app should check this user in external app(db).
Example call:
enter image description here
I dont know I good understand idea of IdentityServer, but generaly I think this is not good solution for my case...For now I understand I can store users in database but only with Asp.Identity in IdentityServer.
What do you think about this case ?
In future I want connect another application to IdentityServer and this new application should have users in IdentityServer, so I will be have two places where I will have users for two application. I need to be sure I can check user exist in this two ways.
When request will be from new app, IdentityServer should check user in his db and if request is from client who will be call to old app, should check this user in external app(db).
The short answer is that IdentityServer4 is just an implementation of the OpenID Connect protocol and the persistence and authentication of users is entirely customisable so you're free to implement that any way you like.
As for where to keep your users - that will depend on your problem domain and business rules but I'd probably try and avoid using multiple DBs if possible and instead migrate existing users from legacy applications to your identity service's own store and take care to only bring over identity and authentication information and not access control/authorization information. i.e. keep the authorization logic in your client applications and APIs.
I am trying to create a React app where a user with "admin" role can create a new user in firebase.
The workflow would look like that:
normal login -> check userRole -> if admin: show createUserForm.
As far as I have read from the documentation, I would need an Admin SDK, but the problem is - how to implement it on client-side app? Has anyone gone through this process?
The Firebase Admin SDK should only be used in a trusted environment, i.e. a server you control or Cloud Functions. It should not (and cannot) be used in a client-side React app.
If you want to allow certain users of your React app to create accounts for other users, you'll want to move that part of the flow to a trusted environment where you can use the Admin SDK.
So the flow becomes:
Detect in the client-code whether the user is an admin (likely using a custom claim) and only show the form if they are.
Call a Cloud Function from your client with the input from the form.
Ensure the user calling Cloud Functions is authorized.
Create the user account in the Cloud Function using the Admin SDK.
As you can see this is quite involved. I highly recommend considering alternative use-cases, such as what it actually is that you want the admin to control. Once you enable a provider in Firebase Authentication, any user can create an account with that provider. Trying to control that from within your application code is just a recipe for problems. Often what you're actually trying to control is what a specific user account can do: e.g. only approved users can access certain data. Depending on where you store this data, that is much easier to control. For example: if you store the data in the Firebase Database, is is common to create a whitelist of approved users in such a case (or the inverse: a blacklist of banned users).