How to set Firebase Database rules? How to prevent .write from deleted user

5
votes

Introduction

I am building a firebase web client app. I would like set Firebase Database rules.

  1. New user registered to a firebase app. Firebase gave him a user.UID.
  2. Then, admin delete OR disabled the user from firebase admin console.
  3. User refresh client app.
  4. (I find out that) user can still write to firebase database even though his account has been deleted/disabled.

.

Goal / Intention

I would like to set a rule that prevent access (.read OR .write) to firebase database when user does not exist OR disabled in admin console/(auth/users).

Some thing like this:

"rules":{
  "$uid":{
    ".write":"auth.isUserActive(auth.uid) == true"
  }
}

.

FIREBASE REFERENCE DOC: https://firebase.google.com/docs/reference/security/database/#auth

Question

How can I achieve the above intention? What are the rules should I set to firebase DB?

2
firebasefirebase-realtime-databasefirebase-authenticationfirebase-security

2 Answers

4
votes

Deleting a user doesn't revoke existing tokens for that user. See Firebase authentication not revoked when user deleted?. If you're using one of the standard identity providers, this means that the users may still be able to access the data for an hour after you delete the account.

There is no API for you code to check whether a given uid still exists. And even if such an API existed, it wouldn't help in this case, since a malicious user could just bypass that check and call the API directly.

A simple way to deal with this scenario is to keep a whitelist of allowed or blacklist of disallowed users in your database. For a blacklist, you'd keep a top-level (world readable, admin only writeable) list of banned/deleted users:

banned
  uid12345: true

When your admins delete a user, they also add them to this list.

And then in your security rules, you check and disallow access for banned users. E.g.:

"posts": {
  ".read": "auth != null && !root.child('banned').child(auth.uid).exists()"
}
0
votes

You can do it by User Based Security as per the doc -v2

var FirebaseTokenGenerator = require("firebase-token-generator.js");
var tokenGenerator = new FirebaseTokenGenerator(FIREBASE_SECRET);
var token = tokenGenerator.createToken({ "uid": "1", "hasEmergencyTowel": true });

For the above created token, the you could write the rules as follows:

{
  "rules": {
    "frood": {
      ".read": "auth.hasEmergencyTowel === false"
    }
  }
}

This could be called once the UID Scope id about to end.

For reference: User Based Security Doc -v2