Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secret URL authentication with Firebase

Tags:

firebase

google-cloud-firestore

firebase-security

I have a client-side web app using Firestore and Cloud Functions.

I would like to set up rules such that if a user has a secret URL for a document that user is able to write to it, without need any other kind of login or authentication. Something like (pseudo-code, I just made up request.params.secret_token):

service cloud.firestore {
  match /databases/{database}/documents {
    match /cities/{city} {
      allow read, write: if resource.data.secret_token == request.params.secret_token;
    }
  }
}

I'm confused by the various authentication options available and can't quite reason through the best way forward.

Potential options that feel close:

  • Anonymous authentication might be needed, that could get me an auth token. As far as I can tell I can't get very far without one of these.
  • Use a custom claim, but it says you can only set them securely on the server side.
  • Use a custom token, but this seems more applicable when I have a pre-existing sign-in server component.
like image 377
Xavier Shay Avatar asked Mar 24 '18 23:03

Xavier Shay

People also ask

Does Firebase use JWT?

Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.

Can Firebase be used for authentication?

In the present era, user authentication is one of the most important requirements for Android apps. It is essential to authenticate users, and it is much harder if we have to write all this code on our own. This is done very easily with the help of Firebase.

Can we send OTP using Firebase?

You can use Firebase Authentication to sign in a user by sending an SMS message to the user's phone. The user signs in using a one-time code contained in the SMS message.

1 Answers

if a user has a secret URL for a document that user is able to write to it, without need any other kind of login or authentication.

Simply set your database rules to allow anyone to read and/or write the data at the path specified in the JavaScript on/in that particular webpage. Maybe simply put the database read or write in a <script> tag after your firebase <script> tag right in that page.

However, like you said, anyone that visits that page/URL is gonna be able to read and/or write whatever data is in that particular node, or field, or document.

Edit the firestore.rules file like so to enable read write for anyone/all. See Documentation.

service cloud.firestore {
  match /databases/{database}/documents {
    match /<some_path>/ {
      allow read, write;
    }
  }
}
like image 182
Ronnie Royston Avatar answered Oct 22 '22 05:10

Ronnie Royston
Sign in to Comment

Related questions

Firebase + Android - Notifications ChildAdded - How to get only New Childs?
Firebase Android offline performance
Why FirebaseRemoteConfig.fetch doesn't call its callback?
"Unknown type encountered" when using generic type in Firebase GenericTypeIndicator
Set target mail address in Firebase Invites
Using GeoFire to Populate Firebase Recycler View in android
How to swipe to delete on RecyclerView?
Unknown 'LibraryVariants' property - Gradle will not sync
Service Worker - Uncaught (in promise) TypeError: Failed to fetch
Firebase - EU data laws
Firebase Data from Google Analytics API
Can I get JSONObject from Default value of Firebase Remote Config
Firebase 'A network error (such as timeout, interrupted connection or unreachable host) has occurred.'
Enable Cors for Firebase Cloud Functions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!