Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I lock down Firebase Database to any user from a specific (email) domain?

I have a small, personal Firebase webapp that uses Firebase Database. I want to secure (lock down) this app to any user from a single, specific domain. I want to authenticate with Google. I'm not clear how to configure the rules to say "only users from a single, specific domain (say @foobar.com) can read and write to this database".

(Part of the issue that I see: it's hard to bootstrap a Database with enough info to make this use case work. I need to know the user's email at the time of authentication, but auth object doesn't contain email. It seems to be a chicken-egg problem, because I need to write Firebase rules that refer to data in the Database, but that data doesn't exist yet because my user can't write to the database.)

If auth had email, then I could write the rules easily.

Thanks in advance!

like image 918
Seth Ladd Avatar asked Apr 29 '16 16:04

Seth Ladd


People also ask

What is locked mode in Firebase?

When you create a database or storage instance in the Firebase console, you choose whether your Firebase Security Rules restrict access to your data (Locked mode) or allow anyone access (Test mode). In Cloud Firestore and Realtime Database, the default rules for Locked mode deny access to all users.

Can anyone access my Firebase database?

The answer is anyone. Firebase doesn't require an SQL user or anything, just connect. Use firebase security rules, validation rules, and functions, to guarantee data consistency.

How do you secure a Firebase rule?

How do they work? Firebase Security Rules work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths. All Rules across Firebase products have a path-matching component and a conditional statement allowing read or write access.


2 Answers

If you're using the new Firebase this is now possible, since the email is available in the security rules.

In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile:

{   "rules": {     ".read": "auth != null",     "gmailUsers": {       "$uid": {         ".write": "auth.token.email_verified == true &&                     auth.token.email.matches(/.*@gmail.com$/)"       }     }   } } 

You can enter these rules in the Firebase Database console of your project.

like image 156
Frank van Puffelen Avatar answered Sep 21 '22 18:09

Frank van Puffelen


Here is code working fine with my database , I have set rule that only my company emails can read and write data of my firebase database .

{   "rules": {     ".read": "auth.token.email.matches(/.*@yourcompany.com$/)",           ".write": "auth.token.email.matches(/.*@yourcompany.com$/)"       }     } 
like image 40
Rishi Avatar answered Sep 24 '22 18:09

Rishi