I'm using Firebase to handle my Google OAuth login for my website. Does anyone knew how to restrict the users who have access to the application? For example, I only want x#gmail.com, y#gmail.com, and z#gmail.com to successfully be able to log in via google to my application.
I wasn't sure if this was a Firebase or Google question, but any help would be much appreciated.
Firebase's authentication handles only that: the authentication of users through any of the mechanisms you enable. Whether those users have access to your data is called authorization and it is handled through the security rules of your Firebase.
So:
Authentication allows the user to identify him/herself with your application. See Firebase's documentation on authentication (for JavaScript/Web, but it exists for all supported platforms).
Authorization limits read/write access to your data to specific users, based on their authentication. See Firebase's documentation on its security rules.
Limiting access to your data to specific email addresses is certainly possible. I recommend that you read Firebase's documentation on its security rules and try to make it work based on that. If you have any problems, post what you've tried and we'll be able to help you better.
These rules will allow anybody to login, but only the listed email addresses to read or write data:
{
"rules": {
".read": "auth.email == 'x#gmail.com' ||
auth.email == 'y#gmail.com' ||
auth.email == 'z#gmail.com'",
".write": "auth.email == 'x#gmail.com' ||
auth.email == 'y#gmail.com' ||
auth.email == 'z#gmail.com'"
}
}
Related
I'm trying to write a project using Realtime Database (firebase) and Angular. Lately I've been trying to learn how to use roles in a project (user, manager, admin, etc.). Did I understand correctly - in the case of using Realtime Database, it is impossible to create roles. Instead, you need to use the rules in the database:
rules: {
"adminContent": {
".read": "auth.token.admin === true",
".write": "auth.token.admin === true",
}
Everything was very good until I read:
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken () method.
What does "your server" mean? I am using Realtime Database and firebase authentication and this is not enough and I need server?
Maybe there is an easier way to add roles to the Realtime Database, I just haven't found it?
Here's what I want to achieve:
I have an iOS frontend, a Vapor backend, and a Firebase storage bucket. I have an app where a small portion of the functionality is being able to add images to some Note objects. When the user attaches an image to a Note, I want to upload the image to the bucket, get the key/url where it's stored, and store that in the backend DB. All that is simple enough, except - I want the bucket to be accessible ONLY by my iOS code and my backend code, so not just publicly accessible by anyone.
The backend is covered via the service account stuff. but I'm not sure about how to cover the iOS side. Firebase generated this basic rule to prevent public access:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
I believe this rule allows only Firebase-authenticated users to use the bucket, but I do not plan to authenticate my users through Firebase. Is there a way I can set up rules such that the bucket is only accessible via my own iOS code? Should I essentially just create a single Firebase user, and have the app authenticate as that user on every app launch? Can I configure Firebase such that it uses some secret that allows it to perform storage operations that get past the rules?
**edited for clarity
As #jnpdx commented, have a look at Firebase's anonymous authentication, which allows you to sign in (and identify) users without asking for credentials. Based on that you'll then want to ensure that each user can only read the files they're authorized for.
While if request.auth != null may seem good for that initially, I find it's often better to start with the principle of least privilege - and for example have some form of content ownership based access rules.
Finally, also have a look at Firebase App Check which was introduced earlier this year, and works together with the attestation providers on your phone to reduce the risk of unauthorized code being used to call the Storage APIs.
I was reading the Firebase Auth docs and in the "Manage Users" section I found this:
var multiFactorString = "MultiFactor: "
for info in user.multiFactor.enrolledFactors {
multiFactorString += info.displayName ?? "[DispayName]"
multiFactorString += " "
}
// ...
I wanted to know what this multifactorString means, or generally, what MultiFactor means in context to FirebaseAuth. Is it used to check what all providers a user can log in with (such as Google or Apple)? Or is it used for something completely different?
Please let me know what MultiFactor means, how I can make use of a MulitFactor object, and if my assumption was correct.
Thanks in advance!
GCIP (Google Cloud Identity Platform) is the upgraded version of Firebase Auth for Google Cloud developers. It also supports multi-factor authentication using SMS as a second factor. Basically after you sign in with email/password, or a social provider like Google or Facebook, you can still require an additional SMS challenge (this is independent on whether the user is using 2FA with Google)
The documentation for using this in iOS is available here.
The documentation you are referring to is the Admin SDK for managing enrolled second factors on a user. With this feature, you are able to enroll multiple second factors on the same user and you can assign them user friendly names for the user to choose from after completing the first challenge. This is documented here.
All,
I have been working on an Android App that uses firebase realtime database, cloud store and authentication. It's never going into production on the google play store - however I am worried that in a few days time, the access to the database will be denied because I don't have 'strong' rules - whatever 'strong' are.
Currently, the rules are set as follows:
"rules": {
".read": "auth.uid != null",
".write": "auth.uid != null"
}
}
The database and all functionality work great - what can i do to add to these rules to satisfy firebase that I now have 'Strong' rules - or at least prevent access from being denied in 30 days - as I need this app to show the functionality of the database etc.
Thanks
Automatically when you change your Firebase rules it will be propagated throughout all the database, there is no need for users to update your app, what you need to be sure is that the users have any login provider (google,facebook) because these rules are saying that only authenticated users can read and write into the database.
If you post this rules without an authentication provider from Firebase, your users will see a blank screen and they will not be able to read/write, if you have implemented a login system with any provider you would be fine
I've made an app that posts to a Twitter account of mine. Currently I have hard-coded into the system the consumer key, consumer secret, access token key and access token secret.
Now I would like to use this app for two accounts and perhaps later even more. Which values have to be changed to make the same app post into the other account and how to get the values? I can see none of them in dev.twitter.com.
The python-twitter package is probably going to be what you want here.
the way you should set this up is in settings.py put
TWITTER_ACCOUNTS = {
'public': {
'consumer_key': 'PUT_C_KEY_HERE',
'consumer_secret': 'PUT_C_SEC_HERE',
'access_token_key': 'PUT_A_KEY_HERE',
'access_token_secret': 'PUT_A_SEC_HERE',
},
'personal': {
'consumer_key': 'PUT_C_KEY_HERE',
'consumer_secret': 'PUT_C_SEC_HERE',
'access_token_key': 'PUT_A_KEY_HERE',
'access_token_secret': 'PUT_A_SEC_HERE',
},
}
from twitter api page:
For applications with single-user use cases, we now offer the ability to issue an access token for your own account (and your own applications). You can generate these keys from your application details pages.
go to https://dev.twitter.com/apps to get your keys
Then in your code when doing your initialisation, (e.g. for personal account) put
import twitter
from django.conf import settings
account = settings.TWITTER_ACCOUNTS['personal']
api = twitter.Api(**account) # <----This will inject your account settings as keyword args
status = api.PostUpdate('I love python-twitter!')
Hope this helps you.
EDIT:
To register your second account with the application, Follow these instructions from Step 3: http://jeffmiller.github.com/2010/05/31/twitter-from-the-command-line-in-python-using-oauth