firebase realtime db security rule to allow specific users

1
votes

my current firebase realtime security rules are like below

{
  "rules": {
    "users": {
      ".read" : true,
      ".indexOn": ["email"],
      "$user_id": {
        ".read": true,
        ".write": "auth != null && $user_id === auth.uid"
      }
    }
  }
}

they translates as only the authenticated user can write the data to his own node under users/

However, we have admin users who should be able to modify the data of non admin users.

The way we identify admin users are a user property isAdmin which is true for admin users. so the sample data with a admin and non admin user looks like below

{
"users": {
 "kldjjfjf" : {
                 "name": "vik", "isAdmin": true
              },
 "lfllfomr": {
                 "name": "neeti", "isAdmin": false
             }
}

Please advise what is the best practice to handle this kind of usecases? doing a .write true will solve it but then it will make it open to anyone to modify anyone's data.

2
firebasefirebase-realtime-databasefirebase-security

2 Answers

2
votes

The simplest ways I've found to allow Administrative access is to:

  1. Use a custom claim for admins
  2. Use a whitelist of admin UIDs

Use a custom claim for admins

You can add custom claims to Firebase Authentication user profiles with the Admin SDK. Claims are custom key/value pairs that you determine the meaning of yourself. The first example from the documentation shows setting a claim called admin to true, for example with the Admin SDK for Node.js:

admin.auth().setCustomUserClaims(uid, {admin: true}).then(() => {
// The new custom claims will propagate to the user's ID token the
// next time a new one is issued.
});

Once a custom claim is set, it is transported to the client when it signs in, and is also available in security rules. You can check the above with:

".write": "auth != null && ($user_id === auth.uid || auth.token.admin === true)"

Use a whitelist of admin UIDs

A simple alternative is to store a list of UIDs in your database of users with specific privileges. For example, you could have a top-level Admins list:

Admins
  uidOfVik: true
  uidOfPuf: true

The above means that you and me are admins. You then check for those in the security rules:

".write": "auth != null && ($user_id === auth.uid || root.child('Admins').child(auth.uid).exists())"
0
votes

Here's an alternative:

Firebase security rules only apply to clients connecting normally to the application.

If you have your own back end (I can't assume that, because Firebase is made for Serverless computing) then it can connect to the application with the admin SDK, which bypasses the security rules.

Alternatively, you can make a separate application for your admin users, that will connect to firebase using the admin SDK.

More information: Firebase Documentation - Firebase Admin SDK