Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Restricting Firebase security to a specific Google Apps domain? [duplicate]

I'm currently looking to use Firebase for an internal application that can only be accessed by employees with a Google Account from our organization.

I have an understanding how I can restrict read/write access only to google logins, e.g.

{
  "rules": {
    ".read": "auth.provider === 'google'",
    ".write": "auth.provider === 'google'"
  }
}

But I can't figure out how to restrict access to a specific domain/organization within Google accounts. I know this can be done at the application level, but given the number of channels we'd use to access the database, I want to enforce the auth at the database level in addition to the application level.

Has anyone done this before? Thanks.

like image 913
Will Turnage Avatar asked Aug 05 '15 19:08

Will Turnage


People also ask

Can Firebase authentication be hacked?

As of October 2020, any website using Google Firebase Auth with email and password login is vulnerable to this sort of attack.

Why is Firebase not secure?

As a default Firebase database has no security, it's the development team's responsibility to correctly secure the database prior to it storing real data. In Google Firebase, this is done by requiring authentication and implementing rule-based authorization for each database table.

What are rules in Firebase Realtime Database?

Firebase Realtime Database Security Rules determine who has read and write access to your database, how your data is structured, and what indexes exist. These rules live on the Firebase servers and are enforced automatically at all times. Every read and write request will only be completed if your rules allow it.


1 Answers

You can restrict access for your gmail domain with:

{
  "rules": {
    ".read": "auth.token.email.endsWith('domain.com')",
    ".write": "auth.token.email.endsWith('domain.com')"
  }
}
like image 80
halafi Avatar answered Oct 18 '22 17:10

halafi