5

Introduction

I am building a firebase web client app. I would like set Firebase Database rules.

  1. New user registered to a firebase app. Firebase gave him a user.UID.
  2. Then, admin delete OR disabled the user from firebase admin console.
  3. User refresh client app.
  4. (I find out that) user can still write to firebase database even though his account has been deleted/disabled.

.

Goal / Intention

I would like to set a rule that prevent access (.read OR .write) to firebase database when user does not exist OR disabled in admin console/(auth/users).

Some thing like this:

"rules":{
  "$uid":{
    ".write":"auth.isUserActive(auth.uid) == true"
  }
}

.

FIREBASE REFERENCE DOC: https://firebase.google.com/docs/reference/security/database/#auth

Question

How can I achieve the above intention? What are the rules should I set to firebase DB?

Nik
  • 709
  • 4
  • 22

2 Answers2

4

Deleting a user doesn't revoke existing tokens for that user. See Firebase authentication not revoked when user deleted?. If you're using one of the standard identity providers, this means that the users may still be able to access the data for an hour after you delete the account.

There is no API for you code to check whether a given uid still exists. And even if such an API existed, it wouldn't help in this case, since a malicious user could just bypass that check and call the API directly.

A simple way to deal with this scenario is to keep a whitelist of allowed or blacklist of disallowed users in your database. For a blacklist, you'd keep a top-level (world readable, admin only writeable) list of banned/deleted users:

banned
  uid12345: true

When your admins delete a user, they also add them to this list.

And then in your security rules, you check and disallow access for banned users. E.g.:

"posts": {
  ".read": "auth != null && !root.child('banned').child(auth.uid).exists()"
}
Community
  • 1
  • 1
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
0

You can do it by User Based Security as per the doc -v2

var FirebaseTokenGenerator = require("firebase-token-generator.js");
var tokenGenerator = new FirebaseTokenGenerator(FIREBASE_SECRET);
var token = tokenGenerator.createToken({ "uid": "1", "hasEmergencyTowel": true });

For the above created token, the you could write the rules as follows:

{
  "rules": {
    "frood": {
      ".read": "auth.hasEmergencyTowel === false"
    }
  }
}

This could be called once the UID Scope id about to end.

For reference: User Based Security Doc -v2

gsthina
  • 1,090
  • 8
  • 22
  • How would this help for a user whose account has been deleted? – Frank van Puffelen Jul 05 '16 at 15:41
  • Read my answer properly :) Not allow to delete., but allow to change the user access rules. This function can be called while we delete an user account! – gsthina Jul 05 '16 at 16:24
  • Minting a new token does not invalidate existing token. This is inherent to a claims-based token system: once the token has been created and handed out, you cannot change the claims in it. What would call the function? If it's the client-side app, then a malicious user can bypass that call – Frank van Puffelen Jul 05 '16 at 17:01
  • 1
    I would prefer answers with server-side solution. malicious user can bypass client-side code. – Nik Jul 08 '16 at 03:12