How to build a protected and safe Admin section for a Firebase web app?

Question

I have a Firebase app which is a basic blogging website. I'll not have any authentication for regular users. But I need a way to authenticate and/or authorize the admin to create the blog posts.

Right now I have it all set up in a single Firebase project and I'm planning to have a "hidden" protected route, like www.myFirebaseProject.com/admin-xyz. PS: I know this is not trully hidden, but I mean it's not accessible through clicks.

When the admin hits that URL, they'll provide username and password and they'll be granted permission to access the admin panels and create the posts for the blog.

I probably won't have a "create account" page and/or form, as I can and will manually create and register the admin users directly from the Firebase console.

My main concern is that any malicious user may access my Firebase project and create new accounts using the firebase.auth().createUserWithEmailAndPassword();, am I right?

From what I thought so far, I have two options of doing that while keeping it safe:

OPTION 1:

• Create two users and manually set an admin flag on their user's documents in my database (Firestore). The user collection and its documents will obviously be protected from any writing from that point on.

• Use that flag from Firestore to authorize the users to the admin section.

OPTION 2:

• Setting Custom Claims
• https://firebase.google.com/docs/auth/admin/custom-claims

The Firebase Admin SDK supports defining custom attributes on user accounts. This provides the ability to implement various access control strategies, including role-based access control, in Firebase apps. These custom attributes can give users different levels of access (roles), which are enforced in an application's security rules.

User roles can be defined for the following common cases:

• Giving a user administrative privileges to access data and resources.
• Defining different groups that a user belongs to.
• Providing multi-level access:
  • Differentiating paid/unpaid subscribers.
  • Differentiating moderators from regular users.
  • Teacher/student application, etc.
• Add an additional identifier on a user. For example, a Firebase user could map to a different UID in another system.

---

QUESTION 1:

1. Am I right that it's possible for any malicious user to create new accounts just by inspecting these Firebase Info below?

var firebaseConfig = {
  apiKey: "api-key",
  authDomain: "project-id.firebaseapp.com",
  databaseURL: "https://project-id.firebaseio.com",
  projectId: "project-id",
  storageBucket: "project-id.appspot.com",
  messagingSenderId: "sender-id",
  appID: "app-id",
};

QUESTION 2:

2. Which of the options listed above would be the best practice in this case? Could I get the desired behavior from both of them or one, indeed, is better than the other?

Answer 1

Question 1:

Yes if you have enabled email password login, any user can use the frontend config to create a new user account in firebase. So there is no guarantee that new users will not be created.

Question 2:

If you have to occasionally create admins, which you will mark manually you can go with custom claims. Using database for user roles gives you more flexibility in managing roles. You can then use these claims in your frontend (e.g. angular auth guard) to enforce admin roles access to your views.

Caution: Also apply admin role checks on you data which you want to limit to admins only.