Custom claims for admin access and security rules

As we saw earlier, Firebase Admin SDK supports defining custom attributes with the token. These custom attributes give the ability to define different levels of access, including role-based control to the app, which is enforced in an application's security rules.

We need to define the user roles in the following common cases:

  • Giving a user the admin role for accessing the resources
  • Assigning different groups to the user
  • Giving a user multi-level access such as Paid, Regular user, Managers, Support Team, and such

We can also define the rules based on the database where we need give limited access, such as we have database node helpdesk/tickets/all, where all the data tickets' data can be accessed. However, we want only the admin user to be able to see the all the tickets. To achieve this objective more efficiently, verify the email ID and add the custom user claim named admin with the following Realtime Database rule:

{
 "rules": {
  "helpdesk":{
   "tickets":{
       "all": {
         ".read": "auth.token.admin === true",
         ".write": "auth.token.admin === true",
         }
        }
      }
   }
}
Do not confuse Custom claims with Custom Authentication and Firebase Authentication. It applies to users already signed in with supported providers (Email/Password, Github, Google, Facebook, phone, and such), but custom authentication is used when we use different authentication, which is not supported by Firebase. For example, a user signed in with Firebase Auth's Email/Password provider can have access control defined using custom claims.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset