Using Firebase Custom Claims for Admins (Firestore & Cloud Storage)

1
votes

Giving Admin Rights

I'm using Custom Claims to give admin rights to users, by triggering it when a document in "admins/{userId}" is created.

A Cloud Function then sets the "admin" property in the users custom claims to true. Then the user needs login again and he is admin.

Now I check for the admin Custom Claim in the security Rules of Firestore and Storage, so the user can delete/edit everything.

Revoking Admin Rights???

But when I want to revoke the Admin Rights on a user, how do I make sure that the rights are really revoked everywhere.

For the Firestore I can add an additional check, that also gets the data from the Firestore "admins/{userId}" direction and does not allow access.

BUT if I revoke the Rights and the user does not refresh his token, he can still edit/delete everything in the Firestorage. And since I can't access Firestore data from the Storage-Security, I can't even double check the "admins/" direction.

So how do I reliably implement an admin functionality for firestore and storage?

1
firebasefirebase-authenticationgoogle-cloud-firestorefirebase-storage
Auth token expire after an hour and need to be refreshed. This happens automatically. Does the custom claim persist after an hour, when then token on the client would have to be refreshed?Doug Stevenson

1 Answers

0
votes

As Doug Stevenson says, the token of a 'revoked admin' should expire within an hour after which the refreshed token wouldn't contain the admin custom claim. I think you're on the right track with using Firestore rules to check your 'admins' collection rather than the custom claim.

If immediately revoking rights to Firebase Storage is crucial, you may need to redesign your app so that rather than giving your client direct access to Storage, files can only be accessed through a Firebase Function you build that will validate access authorization against your Firestore 'admins' collection and, if approved, serve the file to the client.