41

I have just deployed a website to Firebase hosting and it works great - setup was super easy.

My question is, however, is there any way I can make accessing the website limited by authentication? It's an admin panel that only my team should be able to access. Is there any way I can password protect or privatize my website hosted on Firebase?

Thanks!

ryangineer
  • 499
  • 1
  • 4
  • 9

3 Answers3

26

This is not possible at present, though it's been a popular feature request. We have some ideas about how we might tackle something like this, but nothing to announce at this time.

Michael Bleigh
  • 25,334
  • 2
  • 79
  • 85
  • 8
    Hmmm, as great as it is to hear an official response about a popular request, I don't think it's worth upvoting (yet). We look forward to your edit to this answer with a link to the release notes! I have saved my upvote for then! :D – varun Jul 06 '19 at 12:38
  • 20
    Almost 3 years later, is there still nothing to announce? Sad times. – JustDanyul Apr 17 '20 at 18:36
  • 9
    I was really surprised when I discovered Firebase Hosting wasn't capable of something as simple as basic auth, which is usually my go-to solution for providing a client with private access to a project still in development. It makes me wonder what other limitations will surprise me... – David Jones Jun 10 '20 at 01:14
  • 1
    @michael Bleigh any luck? – Rob Grant Nov 05 '20 at 19:39
  • 2
    Dang! I really wish we had this :( How can I restrict access to my staging and dev projects then? – Red2678 Dec 30 '20 at 11:32
  • Looks like there still isn't an easy solution for this!? :( Trying a workaround now by adding a temporary domain (that cannot be guessed) to firebase hosting that we can remove later again. Not really secure, but at least "something". – Klemens Zleptnig Feb 22 '21 at 18:38
  • 1
    Six years... This would be a nice feature to lock at least by network access. – crtag Mar 10 '23 at 07:04
8

Late to the party, but ran into a similar problem when wanting to create a dashboard available only to users on our domain (but without wanting to manage individual accounts).

Ended up using the standard google auth flow, but restricting data access via DB rules. To see if a user is authorised we attempt to access data directly after login (and before we report back to the user). If it fails on auth grounds our user is an outsider.

Firebase DB Rule:

{
  "rules": {
    ".read": "auth.token.email_verified == true && auth.token.email.matches(/.*@ourdomain.org$/)",
    ".write": false
  }
}

See https://firebase.google.com/docs/reference/security/database/

Note: this was definitely made easier due to our org running our mail through gsuite, however you could easily define more granular rules where this option isn't available.

som
  • 2,023
  • 30
  • 37
  • 2
    So you're running a firebase database aside from static firebase hosting? How are you preventing the static files from being served to the user? I'm new to the firebase stack, can you elaborate a bit on what you did? – Konstantin Schubert Mar 15 '18 at 02:04
  • 3
    Hi Konstantin, I guess the idea with this setup is that the static files remain publicly accessible, but the data itself is private. This is the way most admin areas work. If there were static files that needed to be protected then you could use Firebase cloud storage and a similar ruleset logic to above, which would afford the same level of security. See https://firebase.google.com/docs/storage/security/ – som Mar 15 '18 at 02:53
3

The simplest way to solve this for me was to move my app from Firebase to AWS Amplify. It allows you to password protect the app. Under access control, change it from 'Publicly viewable' to 'restricted'. If you're looking for a feature that is similar but in my opinion more robust than firebase auth, then integrate AWS cognito into your app; with AWS cognito, you're able to prevent new user sign ups and restrict new user emails to specific domains among other features.

Jorge Correa
  • 55
  • 1