In Firebase, I am trying to add a way to custom sign in a user. For sake of simplicity I'll have two users for my flutter app, User 1, and User 2. User 1 decides to register an account to my app using Firebase, In this app, User 1 will be able to write data to the Realtime Database. Once User 1 is logged in, is there a way for User 1 to generate a "code", so to speak, that can allow User 2 to register by entering the it, then be able to see all the data User 1 made? In my Firebase console, all I see is various modes of sign in using social media and other platforms but no option for custom authentication. An example of code would be great but an article explaining this would also be great as I am lost on what term to lookup.
-Thank you so much and I wish you have a great rest of your day!
Firebase's custom authentication doesn't have any UI, since you're writing the code for it.
But I think here you may just be looking for something like Firebase anonymous authentication, which literally just generates a UID for the device that you run the code on. If you then log this UID and stuff it into your security rules, you have a decent starting point at what you're looking for.
{
"rules": {
".read": true,
".write": "auth.uid === 'theUidForTheUserWhoCanWrite'"
}
}
Also see:
How to only allow one admin user to write Firebase Database?
How to allow one admin user to write Firebase Database? Without changing all the other rules below
How to set one user as admin in firebase?
How to secure access for user and admin in Firebase Database?
Related
I have been looking and playing with Firebase and I found it really interesting.
So far I have tried some simple authentication and security policy setting but now I have a problem which does not seem to be covered in the documentation and I couldn't find anything on Google or here.
The problem is that I cannot find a way to limit the number of concurrent logins per email/password.
I would like to have an option where paid customers can only login from 1 IP at a time. In other words I don't want people to be able to purchase an account and then share the same with friends and family and then all connect to the system at the same time using the same credentials.
Thank you in advance.
You will control access by writing to a path in Firebase whenever a user logs in. Then you can check that path to ensure only one user exists at a time:
write a value to a path each time a user logs in (e.g. logged_in_users/$user_id)
use onDisconnect() to delete that value when user disconnects
check that path for a value on an additional login attempt
show an error if the value exists or allow login if not
This takes care of the UX portion. To secure it against exploits, you will take advantage of Firebase's comprehensive security rules:
generate your own authentication tokens using the custom login strategy
include the IP address as part of the data inside the token
reject login attempts if the logged_in_users/$user_id is set to a different IP address
write security rules to prevent read/write from other IPs
Assuming you've generated tokens containing an IP address, your security rules could look something like the following:
".read": "root.child('logged_in_users/'+auth.uid).val() === auth.ip_address"
I have users authenticating through firebase in my app, and I'm using the firebase database for storage.
In the context of a video game, I want my app to be able to insert new game items into the players inventories when they earn them in game (things like health potions). I have set up some basic Database rules so that each user, once authenticated, only has write access to their own inventory node, something like the below rule.
"$uid": {
".write": "$uid === auth.uid"
}
I'm wondering now if this setup is vulnerable to spoofed requests from a location other than my app. Could users sign in through something other than my application, and generate fake requests, filling their inventory with whatever items they please? I'd obviously want to prevent this if possible. If this setup would be vulnerable to something like that, is there another method of verifying the database inputs on the server side?
It's always possible that a user could find a way to authenticate and modify your database outside the constraints of your app code. If you want to defend against this, you will need to to one or both of these:
Make sure your security rules only allow the writes that are compatible with your game rules.
Perform the game logic on a secure backend, such as Cloud Functions, so that it can't be compromised.
It's a complex problem, with your game rules controlling the constraints on the system. You'll not likely get specific advice on here, given that your game rules are probably very complex. It's likely that #2 is your best option. You can code your client to issue requests to the backend so it can check if the request is legal, then commit the change from there.
Say I'm building some basic not-so-secure Android app, and I want to use firebase as a DB, but I really don't want the user to login. What would be my best choice of authentication?
If I allow "Annonymous" login - will this mean a big security hole, or would it just mean that programmatically I am allowed to change data anywhere in the db?
Does firebase support automatic creation/logging of user using my own custom user/id mechanism (without any user intervention)? Docs aren't very clear about that...
Anonymous log-in just provide authentication, that means you can associate a Unique ID to each of your user.
This de facto create a user ID and a Auth Token that is persisted in the phone between runs of your app. Token is refreshed when you call signInAnonymously().
Check this link for hits on how to handle anonymous logins.
Talking about security, anonymous login is not a bad practice. Obviously if you want to keep your DB safe you have to write custom access rules:
e.g. you probably want "anon_user322" to read your page content, but definitely not to modify or delete it.
Achieving this is not so hard, you have just to go to your FirebaseConsole and write your own rules for the Database.
You can find on this page a good starting guide. I suggest to watch this talk from Google I/O 2016, it is a bit long but you will be able to understand the basic of authentication and security in Firebase Database just with the first 25-30 minutes.
I was using annoymous sign in at first but it has somedown sides like you cannot export and import the exact same user on another device. Therefore i started using password authentication. You can just generate an pseudo email via uuid#yourappdomain.com and also generate the password and keep it within the appdata.
For security purpose you wont get around setting up rules for writing and reading data but it is working quite simple and easy enough to test with both methods annonymous and passoword auth.
I am developing an Android application using Google's Firebase for the backend. I have been running through some tutorials, and they make the user sign in with their Gmail before using the app in order to read and write from the database (correct me if I'm wrong). I don't want this to be the case for the purpose of privacy and not allowing users to read and write data, so how would I not make the users authenticate with their Gmail, and instead for all reads and writes, use a general gmail specific to the app?
If I don't manually add each gmail account to the firebase console directly as either an editor or owner, then users cannot log into the app. I have been following Google's firebase tutorials found here: https://firebase.google.com/docs/auth/android/google-signin
Thanks
What you're describing sounds like Firebase anonymous authentication. Users can use an anonymous account to read and write as if they are fully authenticated, without having to go through any login process. Then, if you want, you can later give them the option to link that account to a fully identified authenticated account from an authentication provider, such as Google.
Note that anonymous accounts don't survive application uninstall, and they can't be used by the same person across different devices. If you want the user to be able to log in and out and retain use of the data your store on their behalf, you need to use an authentication provider to verify that the person is who they say they are.
I was checking out Firebase Authentication and it said that it was free but I wanted to know how exactly it worked.I have my own database of users containing usernames and passwords against which I can do a SELECT * FROM USERS WHERE username=username and password=password query and get a result back but i wanted to know if firebase authentication will help me in any way with this ? Maybe it could make it more secure ? If i do user firebase authentication,will it be storing my users data in the firebase database and if so will it still be a free plan or is that paid?
Firebase Authentication fully manage user registration and/or login process of your application (even password reset process). You can view all of users data from Firebase Console.
This user data only have limited information attached to it, like email and password, and some additional information if that user account is connected with Google Authentication (like display photo, gender, etc).
But you can add your as many custom information / attribute as you want. The easiest way to do that is by saving those additional information into your Firebase Database. Check this link for more information.