All geek questions in one place

Set firebase security rules based on oauth user email

Is there a way to safely receive the email that they have been authenticated with using a security rule.

Ideally, I wanted to create a rule like:

{ ".read": "auth.google.email.matches(/@example.com$/)" ".write": "auth.google.email.matches(/@example.com$/)" }

So that the entire application or part of the application is protected from the suffix of the email address. It is much easier to manage my application, because users will be granted access based on the email of the company they have, all or nothing.

Alternatively, this is a way to store users โ€™email address in a database that they then cannot write, I believe that I could achieve a similar process.

+5
source share
1 answer

Answering machine. OAuth provider properties are not available in security rules. According to the documentation for the auth variable :

The predefined auth variable is null before authentication. Once the user is authenticated using the auth method to log into Firebase, it will contain the following attributes:

provider The authentication method used ("password", "anonymous", "facebook", "github", "google" or "twitter").

uid Unique user identifier guaranteed to be unique to all suppliers.

Therefore, you cannot protect data based on an email address unless you use a server to securely access your email domain.

Once you connect the server, you can:

  • Check your email address and save your verified email address in the database. You can then access it in your security rules using root.child('users').child(auth.uid).child('emailDomain').val()
  • imprint your own tokens that include the email domain so that it becomes available in the auth variable in your security rules with something like auth.emailDomain .
+3
source

Source: https://habr.com/ru/post/1242503/

More articles:


All Articles