how do I implement role based access control in firebase

firebase firebase-security

This is my first foray into Firebase & nosql, I come from a SQL background.

Using Simple Login Security Email/Password, how do I limit access to data in Firebase? For example, some user will have access to create a business object (users, customers, categories, etc), others won't. Is there a way to attach a list of permissions to the "auth" variable?


There isn't a way to attach permissions directly to the auth variable (or at least that doesn't seem to be an intended strategy). I'd recommend creating a collection of users organized by auth.uid and you can keep whatever kind of permission attributes you want in there, such that your security rules might something look like this (untested):

{
  "rules": {
    ".read": true,
    "users": {
      ".write": "root.child('users').child(auth.uid).child('role').val() == 'admin'"
    }
  }
}

Where role is an attribute belonging to all objects in your users collection.

UPDATE

See comment below:

"There isn't a way to attach permissions directly to the auth variable" This changed in 2017. You can now attach custom claims to an auth profile, which are available in security rules. See bojeil's answer and the Firebase documentation for custom claims. – Frank van Puffelen


Firebase launched support for role based access on any user via custom user claims on the ID token: https://firebase.google.com/docs/auth/admin/custom-claims

You would define the admin access rule:

{
  "rules": {
    "adminContent": {
      ".read": "auth.token.admin === true",
      ".write": "auth.token.admin === true",
    }
  }
}

Set the user role with the Firebase Admin SDK:

// Set admin privilege on the user corresponding to uid.
admin.auth().setCustomUserClaims(uid, {admin: true}).then(() => {
  // The new custom claims will propagate to the user's ID token the
  // next time a new one is issued.
});

This will propagate to the corresponding user's ID token claims. You can force token refresh immediately after: user.getIdToken(true)

To parse it from the token on the client, you need to base64 decode the ID token's payload: https://firebase.google.com/docs/auth/admin/custom-claims#access_custom_claims_on_the_client

You can upgrade/downgrade users as needed. They also provided a programmatic way to list all users if you have recurring scripts to change a users' access levels: https://firebase.google.com/docs/auth/admin/manage-users#list_all_users

Related

System.Data.OracleClient requires Oracle client software version 8.1.7
How to implement the Hashable Protocol in Swift for an Int array (a custom string struct)
How to make a batch file delete itself?
Android Webview POST
Heroku Postgres Error: PGError: ERROR: relation "organizations" does not exist (ActiveRecord::StatementInvalid)
How to read a list of files from a folder using PHP? [closed]
Android quotes within an sql query string
How can I change separator color in NavigationView?
How I can select rows from a dataframe that do not match?
Reading a register value into a C variable [duplicate]
Apache Spark - foreach Vs foreachPartition When to use What?
Obtain a reference to <script> parent element [duplicate]