13

I have a static app hosted on Firebase hosting whose backend is also on Firebase(communicating using firebase JS api). I want to add a simple auth page to all pages of this website so that only users I want can access this site. Is this possible?

Looked at the docs but didn't find anything that helps me in this regard.

Peter Haddad
  • 78,874
  • 25
  • 140
  • 134
ayushgp
  • 4,891
  • 8
  • 40
  • 75
  • @PeterHaddad I've developed this for a single user but since it is hosted on firebase, web don't want any sign ups but just one account that can be used to access this site. – ayushgp Feb 12 '18 at 19:11

3 Answers3

13

You can do this using Firebase Functions, and an Express call. Put all of your static files into a folder named functions/admin and put this function into functions/index.js:

exports.admin = functions.https.onRequest((req, res) => {
  const url = req.originalUrl ? req.originalUrl : '/index.html'  // default to index.html
  res.sendfile('admin' + url)
})

Then, a request to your functions server for /admin/* will serve up the file of the same name.

If you want to add authorization, try this:

exports.admin = functions.https.onRequest(async (req, res) => {
  const url = req.originalUrl ? req.originalUrl : '/index.html'
  const user = await get_user(req)  // get the current user
  if (user && user.is_admin)        // is current user an admin?
    res.sendfile('admin' + url)
  else {
    res.status(403).send(null)
  }
})

You will have to define get_user() so it returns a user object with an is_admin field.

Brent Washburne
  • 12,904
  • 4
  • 60
  • 82
  • You stopped explaining at the most important part I guess, authentication. Can you please elaborate a bit more on how you get the current user from out of the Request object (i.e. with get_user(req))? – Burak May 12 '21 at 11:40
  • Add middleware that performs authentication, maybe something like this: https://www.codementor.io/@victornwaiwu/using-firebase-as-an-authenticating-middleware-in-express-js-5z435fvaz – Brent Washburne May 18 '21 at 03:04
6

Firebase Hosting provides no way to limit access to the static resources (HTML, CSS, JavaScript) of your site. See Can Firebase hosting restrict access to resources?, Firebase Hosting - Members Only / Secured Webpages?.

But if your site serves dynamic content (e.g. loads data from the Firebase Database from JavaScript, or uploads images to Firebase Storage) you can use Firebase Authentication plus the server-side security rules (database, storage) of those products to ensure users can only take actions they're authorized for.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
0

This can be done by adding rules to your Firebase Database, to only let authenticated users enter the website you can use this:

// These rules require authentication
{
 "rules": {
   ".read": "auth != null",
   ".write": "auth != null"
 } 
}

You can use this:

 {
 "rules": {
   "admin": {
       "$uid": {
          ".write": "$uid === auth.uid"
      }
    }
  }
}

Using the above you will let only the users under the admin node(they must be authenticated) to write to the database and no one else can.

more info here: https://firebase.google.com/docs/database/security/

Peter Haddad
  • 78,874
  • 25
  • 140
  • 134
  • 3
    That's for Firebase Database, not for hosting. – Dimitri May 16 '18 at 17:23
  • 1
    @Dimitri OP wanted some users to access the website, and with rules it can be done, even the first answer said it `you can use Firebase Authentication plus the server-side security rules (database, storage) of those products to ensure users can only take actions they're authorized for.` – Peter Haddad May 16 '18 at 17:36