I'm hosting a site using firebase and want to be able to prevent people from accessing it, tried using a .htaccess file, wondering if anyone has been able to do it before.
Asked
Active
Viewed 8,436 times
24
-
4This is not currently supported by Firebase Hosting. – Rob DiMarco Jul 09 '15 at 17:42
-
Thanks, good to know! – Tyler Iguchi Jul 09 '15 at 18:37
-
If I understand correctly, Firebase Hosting is provided on top of a Node.js platform, so this should be possible in theory... (I haven't tested it): https://www.sitepoint.com/http-authentication-in-node-js/ – DavidTaubmann Mar 18 '17 at 01:03
3 Answers
22
Here is a little hack that simulates HTTP Basic authentication using firebase cloud functions and a little rearrangement of files.
There are 3 steps to this:
- Set up the necessary cloud function
- Move the files you want to protect into a "secret" folder
- Update your
firebase.json
1. Cloud Function
const USERNAME = 'USERNAME'
const PASSWORD = 'PASSWORD'
const denyAccess = (res) => {
res.statusCode = 401;
res.setHeader('WWW-Authenticate', 'Basic realm="Authorization
Required');
res.end('Unauthorized');
}
exports.authorizeAccess = functions.https.onRequest((req, res) => {
if (typeof req.headers.authorization !== 'string') {
denyAccess(res);
return;
}
const base64Auth = req.headers.authorization.split(' ')[1];
if (typeof base64Auth !== 'string' ) {
denyAccess(res);
return;
}
const [user, pass] = Buffer.from(base64Auth,
'base64').toString().split(':');
if (user !== USERNAME || pass !== PASSWORD) {
denyAccess(res);
return;
}
const urlObject = url.parse(req.url);
urlObject.pathname =
`/${PASSWORD}${urlObject.pathname}`;
const location = url.format(urlObject);
res.writeHead(302, { location });
res.end();
});
2. Move files into secret folder
Suppose the folder that you have set as public in firebase.json looks like this:
.
├── index.html
├── js
| ├── main.js
| └── main.js.map
└── styles.css
then make it look like this
.
└── PASSWORD
├── index.html
├── js
| ├── main.js
| └── main.js.map
└── styles.css
3. firebase.json
{
...
"rewrites": {
"source": "/"
"function": "authorizeAccess"
}
...
}
We had to password protect our source maps in production; we had to have them in there in the first place so that Sentry would pick it up. Our build scripts would take care of moving the files into the necessary folder.
Rajiv Ram V
- 364
- 2
- 7
-
4Great workaround. I guess this is the way until Google introduces an **dedicated** authentication and authorization system for it's static cloud hosting solution. Google actually acknowledges that it is a ["popular request"](https://stackoverflow.com/a/44296044/6086782). Let's see when they walk the talk. Thanks for sharing your solution, Rajiv Ram! :D – varun Jul 06 '19 at 12:50
-
To clarify, this will only require an auth at toplevel, the subfolder named _password_ is directly accessable if the url is known. I am unable to get the function running when visiting the subfolder. – Ti Hausmann Apr 23 '20 at 17:51
-
-
1Got it, I believe it's as simple as importing one of the nodejs modules. `const url = require('url');` – luker02 Sep 10 '20 at 04:10
6
If you are hosting a site, and want to access firebase data on your site, you can add authentication to your application to control who can change or view data. According to the manual: Firebase Authentication
Steven Scott
- 10,234
- 9
- 69
- 117
0
With Firebase hosting channels you can have "preview" channels that include a random hash in their URLs, like SITE_ID--CHANNEL_ID-RANDOM_HASH.web.app. So that only people you gave this secret URL can access this site. Note that "preview" channels have an expiration delay that can be up to 30 days from the date of deploy.
Laurent Payot
- 2,048
- 2
- 17
- 13