Controlling Data Access Using Firebase Auth Custom Claims (Firecasts)
Articles Blog

Controlling Data Access Using Firebase Auth Custom Claims (Firecasts)

52 thoughts on “Controlling Data Access Using Firebase Auth Custom Claims (Firecasts)

  1. This is very good stuff. I use React Loadable to conditionally load restricted app logic. It would be so great if there was a way in firebase hosting to apply security rules to individual named chunks of app code.

  2. Yeah, also you can polish it in design (in most cases) your access rules usually are on order like

    Admin > Moderator > Editor > User

    in which every role has all the accessibility of what is beneath it. Rather than giving the admin all these status or even set-up rules to allow it for every status, just make it a number.

    4 > 3 > 2 > 1.
    if: token.role > 1 (allow it for the editor and moderator and admin but not the user)
    if: token.role > 2 (only for moderator and admin)..etc

    The downside of this method is if you later on wanna add a rule, it might get complex. So if you need 5 different role put them like this:

    Reason is later on if you wanted to add a role that's stronger than role 3 but less than 4 you can make it 350 ..etc.
    it'll get complicated if you don't design it creatively

  3. I have a simple case, that in my firebase database I have 100 messages come from 5 different users, only the user who wrote the message will be able to delete it, and other 4 only can read it. I use firebase, can you give me some hint how to do it ? I read document many times only some basic stuff. auth != nil which is not enough, and firebase keeps warning me. please help , thanks.

  4. Can we changes id tokens dynamically for like social network where access to user database changes based on the users friendship status…..

  5. Can you please do a live coding of google cloud functions for let's say deletion of timestamp expired data on realtime database please? I heard you need to implement an outside service to ping the firebase server in intervals in which you want to triggers these functions.

  6. Could you explain in more detail what makes it a "bad experience" for end users if developers add a bunch of claims to their auth token? Would the example you showed with address and a few other details really impact the delivery speed in any noticeable way?

  7. Thats great and seems quite simple! I will defenitly check that out. However one question: Is it possible for someone to "fake" an auth token? This way someone could fake being an admin and promote his real account to an admin…

  8. Wait, i'm not sure if I understood the last point correctly, but if e.g. Firestore permission are updated only when the user logs in and out again, couldn't this be used maliciously?
    For example, if a moderator at the example page now edits movies with wrong intentions and get's his role revoked(so he get's the claim removed), then it's on the client side to log him out, so that the permissions actually change?? Isn't this very insecure, as e.g. the moderator could just delete the code to be logged out and still have all the write access?

  9. I think firebase security is by far the most difficult part about using firebase and Firestore. It’s too bad considering everything else about firebase is such a pleasure to use.

  10. very good!!!! this is the kind of videos that we all need, although it was a bit fast the issue of setting the custom tokens but even so, it gives us a vision of how to work it. many thanks!. it would be very good a good video that gives us the best practices to upload an image, cut it, optimize it and generate a thumb (also optimized) and use a picture tag, to have all possible resolutions automatically. many thanks Jen!

  11. I like firebase a lot. It has majored a lot over the last two years, most things are well documented, and you get an overall coherent experience as a developer.

    However, what's still way to time consuming and to tricky to scale are security rules. This area is lacking behind all other areas in terms of usability and the ability to scale a codebase. Maybe some kind of metalanguage is needed so to create an abstraction that can bring more speed and better scalability…

  12. I was wondering it would be advised to change custom claims based on some context (i.e. they are on a certain document or collection )?
    This would be for cases where one could be a moderator for certain chat rooms but not all chat rooms
    ( it gets more tricky if moderator is not a statically defined )
    What I was thinking would map to something like this:
    – When a person enters a room (room 101) then it will automatically update all it's claims on "room actions" it can perform i.e. { canBootUserFromRoom101 : true, canReadMessagesForRoom101 : true }
    – If the person leaves the room and enters another room then it will update claims again so that it can do things like i.e. { canBootUserFromRoom102 : false, canWriteMessagesToRoom102 : true }

    The biggest reason for this is if there is something shared link between FireStore and Storage ( like room images / videos ) the rule under Storage can not access things in FireStore.

  13. Hy.. i have a problem in my firebase databaae.. when wifi disconnect firbaae also diaconnect and not connect even after wifi on. Can u help me?

  14. Will this be a good option to check if the user is accessing the database from App and not accessing it directly, so that I can write security rules to allow access only from the App?

  15. It would be easier to manage user roles using claims if the firebase console had a page that allowed the admin to set claims for individual users. Role-based security is one of the most common tasks that administrators have to deal with and having to write code to support it doesn't make for a great user experience.

  16. Thanks Jen, you've just confirmed I'm doing this correctly in my app (customer claims applied by a cloud function)! Also great to know the reads from Firestore rules are including in the quotas. I wish I'd had this video 2 months ago, would've made my life a little easier when implementing. Great content and a great product, thanks!

  17. How would you go about groups? User is admin of one group and a member of another. So you could have 100+ groups. User might be part of 20 of them.

  18. I was developing an app requiring the exact feature in 2017. Was searching internet like a mad man, i couldn't find a thing. At the end i thought it must be something to do with the server side rules, but i couldn't just figure it out
    That app went to stub that time due to various other reasons, but i guess i will visit it again 🙂
    Thankyou for such an awesome explaination!!

  19. In the past, I have used firebase.auth in the web client and once a user creates another user, I link certain security logic:

    Once the user has been created I send an email to verify your email with the function user.sendEmailVerification ().

    As the user was created by another user, I assign a default password and use the sendPasswordResetEmail () function so that the user registers his new password.

    That has worked well for me so far, but now for many reasons I need to move that logic to my server, for that I'm developing a backend with cloud functions and I'm using the Node.js Firebase Admin SDK version 6.4.0, but I can not find a way to use the functions of user.sendEmailVerification() and sendPasswordResetEmail() to implement the same logic on the server, the closest thing I found was:

    auth.generateEmailVerificationLink (email)

    auth.generatePasswordResetLink (email)

    But it only generates a link for each one, which by the way the only emailVerification() serves me, the one from generatePasswordReset always tells me:

    Try resetting your password again

    Your request to reset your password has expired or the link has already been used.

    Even though be a new link, and it has not been used.

    My 3 questions would be:

    How can I make the sendEmailVerification () and sendPasswordResetEmail () functions work on the server?

    How can I make the link generated with auth.generatePasswordResetLink (email) work correctly on the server?

    Is there any way to use templates and emails on the server that are in firebase auth?


    Thank you in advance for sharing your experience with me, with all the programmers' community of firebase.

  20. Is it possible to add console control to Firebase security for easier control, and developer can check exactly which collection of user has access authority to any data on console #AskFirebase

  21. Hey folks, I was having trouble finding the links that Jen mentioned in this video, they weren't included in the Description.
    For anyone else that's looking for them, here's a Medium post that Jen provided with the exact links.

  22. I think firebase authentication itself could be more… customizable and user-friendly, allowing developers to add custom user profile properties and set different user groups more easily, without setting up an additional collection for users in Firestore or asking for help from Admin SDK.

  23. Maybe I didn't understood something but when we only allow admins to promote users to admins, how do I get the first user to become an admin? As far as I know there is no way to give custom claims to a user from the console…

  24. I have an Admin authentication problem Any One From Firebase Team has Solution i want to make App for Admin And Client
    how to do this thing in flutter Anyone Know How to Do this things…

  25. Ok… First, thanks a lot for the video. Custom claims will surely prove to be useful in many cases. But I have some question to get some clarifications on the concept:

    1- If a user has logged in and you add/remove a custom claim they won't have it on their claim until the next time the token is issued.

    2- Each client SDK has a method to "refresh" the firebase token, this can be used wherever appropriate.

    Questions for 1 & 2: Does refreshing a token(2) has the same effect as re-issuing the token(1)? Looking at your annotation sequence I get the impression that it has the same effect.

    3- Firestore, real-time database and cloud storage update permissions based on changes to users' uid, not the refresh token. Even if you refresh the token, security rules will not reflect changes in access. User needs to sign out and sign in again so that firebase products look at the permissions of the latest token.

    Question for 3: Are the custom claims cached somewhere on these products and these claims are only fetched whenever a user logouts and logs back in? In this case, the only proper way to securely reflect the changes in the claims is to kick the user out, correct? By updating "permissions" you mean "custom claims" right? When I refresh a token, I get the new claims on the client but I can't reflect the changes on the server side for firebase, firestore, storage. This implies custom claim records are not read from the place they are stored by these products, instead they are cached somewhere and this cache needs to be updated by a sign-out, right? This part is a little foggy as far as this video is concerned.


  26. How could I structure my Rules in a given situation:
    I have registered users under a USER ref that has "Display_name, email, age, has_Paid". He has read & write permissions to his User node. BUT has_paid should only be allowed to be edited by my Firebase CloudFunctions Script. He should not be able to write or edit "has_paid"…. how to do this?

  27. The complexity of the security roles is the biggest disadvantage of firebase, but it is learnable. Other hand it would be nice if we can be able to control the response fields.

    In case of if i'm a moderator, than i want to see the costumer's billing data, but I don't want to make it visible for the non moderator users.

    It is not so a security role, its more than an response modifier.

  28. Is there a particular reason why managing custom claims is not a feature available in the Firebase Console? It just feels odd having to use the Admin SDK just to be able to do so

  29. This all seems so hackish tho… Why not just return a token which I can save in the localstorage and verify by firebase on every route… Could be so easy and serverless.

  30. #AskFirebase Hi Jen, w.r.t custom claims, the security rule at the server side relies on claim value that is sent by the client as opposed to the model of the server verifying the claim made by the client for every request. And as a counter measure, we do the token refresh at the client side when the claim value changes or wait for an hour. This looks ok on an assumption that the token available with the client SDKs cannot be compromised. But does this model guarantee security.? Thanks for your time!

  31. I am not able to get started with firebase storage, it is failing to create initial default bucket
    it is saying some unknown error, and refresh it and try again.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top