Reputation: 33
Firebase Custom Claims security rules database
Hi i would like to ask if in firebase it is possible to add custom Claims like that:
{
roles:["ROLE_A","ROLE_B"]
}
And at the same time write correct realtime databse security rules like :
".read": "auth.token.roles.contains('ROLE_A')
This is my databse example:
"root":{
"users":{
"nodeA":{
}
"nodeB":{
}
}
}
When i try to wryte the rule i have
the same thing works with someting like that
Upvotes: 1
Views: 145
Answers (1)
Reputation: 7398
That should work. Just have in mind that the custom claims have a limit in size of 1000 bytes. If you need to save to many roles that could break your app authorization logic.
I like to use the custom claims for very basic roles like isAdmin and the rest over the datbase. You can change the custom claims only form a secured backend and in Firebase that is probably a cloud function. You would need to save those roles in a database for your forntend to see what roles a user has or not and sync those with the users custom claims. That data needs to be secured for users authorized to change them. When you already have that you can also use the same data from the database to write your database rules. It's also very easy to sync them between both databases.
Upvotes: 1
Related Questions
- firebase realtime database rule for authentication user
- Secure Firebase Rules
- Firebase Real-time DB Security Rules
- Firestore Realtime Database authentication rules
- Firebase Database Rules - rules based on custom claims
- Firebase custom claims as a list + security rules
- Firebase Security rule
- Firebase Database Rules
- Firebase simple user auth rule
- Security Rules with Firebase