Using the provider uid in firebase security rules

1
votes

I have a Firebase application that only uses Google authentication. I want to give users that have never authenticated with my Firebase project access to parts of the database based on the uid of the auth provider. I want to retrieve the Google uids using the directory API and then store them in the whitelist node.

whitelist: {
  12345678: true,
  23456789`: true
},
data: {}

Then I would like to do something like this in the security rules:

"rules": {
  "data": {
    ".read": "root.child('whitelist/' + auth.providerUid).exists()
  }
}

Or something like this:

"rules": {
  "data": {
    ".read": "root.child('whitelist/' + auth.providerData[0].uid).exists()
  }
}

But is it possible to access the provider uid in the security rules? And if so, how does this work?

1
firebasefirebase-realtime-databasefirebase-authenticationfirebase-security
Why can't you use auth.uid?Frank van Puffelen
Because I want to be able to whitelist G suite users before they have authenticated with the Firebase app. So the users I want to whitelist might not have a Firebase uid yet.Erik van den Hoorn
Interesting. I've only ever seen that type of whitelisting by email address. Do you see disadvantages to that compared to your approach?Frank van Puffelen
@Frank van Puffelen: The disadvantage I see there is that the email address cannot be used in the path because the dot is not allowed. Of course I could replace the dot by another character and then use a regex in the security rules to determine if access is allowed.Erik van den Hoorn
@FrankvanPuffelen: Just found that I can use the replace function to build a whitelist based on email addresses. Here is the example in the docsErik van den Hoorn

1 Answers

3
votes

The syntax seems slightly different according to the reference documentation:

firebase.identities

Dictionary of all the identities that are associated with this user's account. The keys of the dictionary can be any of the following: email, phone, google.com, facebook.com, github.com, twitter.com. The values of the dictionary are arrays of unique identifiers for each identity provider associated with the account. For example, auth.token.firebase.identities["google.com"][0] contains the first Google user ID associated with the account

So it seems you need auth.token.firebase.identities["google.com"][0]. I must admit I've never used this though, since my security rules rely only on the user's main ID: auth.uid.