I have a question about Firebase Auth.
I'm working on my app and, even if I downloaded Firebase Auth Protocol using Pods, I realized that I really don't need them.
The aim of my app is to show some random quote about users but I don't need to Auth them 'cause I don't want and I don't need to implement an Auth system.
In few words: if you're using my app, you can submit a random quote anonymously.
How do I have to set the Authentication from Firebase Dashboard in order to allow ONLY the users who use my app to do that? How can I prevent people not to submit info if they're not using an iOS device?
You could have the user sign in anonymously and have a rule in Firebase that you have to be signed in to post quotes. If you also have to be signed in to read the quotes the rules would look like this.
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
Doing this through anonymous authentication is a good first step, but the rules in Casper's answer are quite easy to bypass. If you don't have a better authorization schema for your users, I recommend implementing the newly introduced Firebase App Check to ensure requests are only allowed from apps that are registered in your Firebase project.
Related
My current Android Application makes use of the Firebase Realtime Database.
I am struggling with the security Rules as I wish to allow only a Single User to be able to Write data while allowing any authenticated user to read data.
I have set these rules but am unsure if they are secure enough...
{
"rules": {
".read": "auth != null",
".write": "auth.uid === 'xxxxxxxxxxxxxxxxxxxxxxx'"
}
}
Where 'xxxxxxxxxxxxxxxxxxxxxxx' is the specified user I wish to allow to write data.
Is a users uid a constant value?
What does the "Authenticate" option manage when clicking on the Simulate button when testing out new rules?
Once a user's UID is generated, it will never change. So checking the UID in the security rules is indeed a common way to ensure only that specific user has a certain permission. I do this on almost every project when getting started for the initial (admin-type) users.
We are new programmers trying to develop a meeting app based on google maps. And we are constantly researching and trying to learn swift coding and Xcode. Now we've put together a login system using Firebase and it's Auth features and our app currently is able to create a new user and save it to Firebase database and then the user can log into their account. This is, as we see it, a very basic authenticator function.
Now we want to be able to keep the user logged in after signing up in a fashion like Instagram and some other apps have (Logging in once and then not being asked to log in again until the user signs out explicitly.)
We've done some research about these methods and learned about the existence of "sessions" and "Login Tokens" but it seems like every database/app combination requires a different kind of approach.
We want to know what kind of options do we have to keep track of a user property within the rest of the app, like a constant that applies and that can be called from all of our codes and what could we do to implement a one time login function using swift and firebase/firestore combination?
Also we are new to Stackoverflow so hello everyone and we are sorry if we asked a previously asked question.
We wish everyone easy coding!
If you are using Firebase then you could use the Auth module it comes with import FirebaseAuth.
in your override viewDidAppear() you can add the check below and provide functionality
override viewDidAppear(){
super.viewDidAppear()
if Auth.auth().currentUser != nil {
// User is signed in.
// ...
} else {
// No user is signed in.
// ...
}}
if you want to get the currentUID for the user that was set by Firebase you can also use guard let uid = Auth.auth().currentUser?.uid else{return}
The company I work for has a production ROR web application that handles user authentication using devise on backend. I´ve been asked to develop a mobile app using specific IONIC 3 with firebase template, This app works along with existing ROR web app and I cannot modify backend auth, so I implemented Firebase´s Custom Token authentication and had it to work. For testing purposes I registered manually user accounts in Firebase console using existing username and uids on my baackend, but when I try to login using a user account that is not manually registered, I get the following exception "there is no user record corresponding to this identifier" I know it is because there is no user wit that uid in firebase, but reading the documentation I found here it says "...After a user signs in for the first time, a new user account is created and linked to the credentials—that is, the user name and password, phone number, or auth provider information—the user signed in with. This new account is stored as part of your Firebase project, and can be used to identify a user across every app in your project, regardless of how the user signs in...." so my question is, Is there a way to have firebase register users automatically after using SigninWithCustomToken? Can anyone advise on a correct flow to achieve sync between current back end and firebase users?
I´ve never used firebase before and have not found more than very basic documentation.
Thanks in advance.
I am modifying the FriendlyPix Firebase sample app so that only authenticated and authorized user can read data under the node. Following is the Database rule for my real-time DB
"posts": {
// ".read": true, COMMENTED OUT
"$postId": {
".read": "auth.uid === data.child('author').child('uid').val()",
".write": "!data.exists() || data.exists() && auth.uid === data.child('author').child('uid').val()",
//more code
The issue is that now a logged-in user can't read any posts (not even the ones he posted). I am using Firebase UI and Google login. What am I doing wrong?
Without the line you commented out, nobody can read from /posts. To be able to query /posts. you must be able to read from it.
This a common recurring roadblock for developers new to Firebase: rules cannot be used to filter data. I recommend you read up on that in the Firebase documentation and in the many questions on the topic.
Firebase queries are all or nothing. If you are listening to the "/posts" node of your Firebase database, a user will only get ANY data if the are authorized to see ALL of the data under that node. Your rules do allow for an author to read their own posts, but not any others. This means that the entire query will result in an authentication error.
Anytime auth is not null, it means the user is authenticated. As any authenticated user should be able to read a post, just putting read to "auth != null" will suffice. Note that this only allows logged in users to read posts, not to edit them.
I have an iOS app that I'd like to restrict access to, making it only available to users from a specific email domain.
The app requires the users to log in using their Google Account.
I've found various answers online that suggested adding
".read": "auth.token.email.endsWith('gmail.com')"
But that doesn't seem to return an error in the sign in page, but only when the user in question tries to access the database. Any suggestions?
You will have to enforce that. You have multiple tools to do so:
After signInWithCredential resolves, you can check the domain and that it is a google.com provider. If you are allowing email/password users, you need to verify those too. If the user doesn't meet your criteria, use the delete API on the user and issue an error to the user that they need to sign in with a certain account.
Enforce the check in your rules, as you can't always trust the client. Ensure that if a user signs up, and isn't deleted, he/she can't access the data.
Use Firebase functions which has a trigger for user creation. On user creation, check your criteria is met, if not, use the firebase-admin module to delete that user.
If you are using the Google sign-in library for iOS to get the Google credential, you can check the Google user email and Google ID token before you signInWithCredential in Firebase and block the sign in attempt.
Write your own clean up script: If you are hosting your own server and do not want to use Firebase Functions, you can run a daily script that downloads all your users using the Firebase CLI SDK and then deletes all users using firebase-admin SDK that do no match your criteria.
Since the required email domain is #gmail.com, you could just disable the email and password and enable the Google sign in method in your Firebase console. So, the only way a user can sign in on your app is with a Google account.
https://firebase.google.com/docs/auth/ios/google-signin
Include the email and password sign up option and just check for domains within your app. This will be a simple string comparison test on the email address.
Or just spin up a server to which you'll be sending the emails to for verification. This way you wouldn't have to push out new updates every time you add an extra domain. You can try and see if cloud functions would be helpful instead of spinning up a new server.