I'm currently looking to use Firebase for an internal application that can only be accessed by employees with a Google Account from our organization.
I have an understanding how I can restrict read/write access only to google logins, e.g.
{
"rules": {
".read": "auth.provider === 'google'",
".write": "auth.provider === 'google'"
}
}
But I can't figure out how to restrict access to a specific domain/organization within Google accounts. I know this can be done at the application level, but given the number of channels we'd use to access the database, I want to enforce the auth at the database level in addition to the application level.
Has anyone done this before? Thanks.
As of October 2020, any website using Google Firebase Auth with email and password login is vulnerable to this sort of attack.
As a default Firebase database has no security, it's the development team's responsibility to correctly secure the database prior to it storing real data. In Google Firebase, this is done by requiring authentication and implementing rule-based authorization for each database table.
Firebase Realtime Database Security Rules determine who has read and write access to your database, how your data is structured, and what indexes exist. These rules live on the Firebase servers and are enforced automatically at all times. Every read and write request will only be completed if your rules allow it.
You can restrict access for your gmail domain with:
{
"rules": {
".read": "auth.token.email.endsWith('domain.com')",
".write": "auth.token.email.endsWith('domain.com')"
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With