0

I have two separate react applications, one is a frontend for users and the other one is an admin panel with a little custom CRM system. We use firebase for the sign up and authentication and we authorize the user on Nodejs backend. The problem is that I'm not sure how would I separate the administrators from the regular users. I know I can add custom claims in firebase, but that would mean that when the user signs-up on the admin panel, he would be able to login on the frontend or vice versa, essentially creating a shared account?

I thought about creating a new firebase project to authenticate admins, but it seems like a messy solution due the fact that we want to use firebase storage that's going to be accessed from both admin panel and frontend and it will probably be hard to write permissions. Another option would be generating random emails on the backend and saving them to the firebase as the user signs up on the admin, but that seems a bad idea too.

Previously we used a custom auth solution and basically stored users and administrators separately in the database.

TLDR

How do I separate user and administrator accounts, preferably without creating a new project as I would like to use firebase storage that's gonna be used by both admin panel and user application?

Nazar Klymenko
  • 63
  • 5

1 Answers1

2

You cannot prevent users from logging on either sites if its a same firebase project and neither share resources between two different projects unless you solely using what Firebase provides.

Option 1:

You still need to rely on Custom Claims or store user's role in a database to differentiate between then. About the UI, yes users will be able to login on the admin dashboard. However you should just redirect them if they don't have the admin custom claim. On the backend, make sure you serve the data only after verifying the claim else return a 401 error.

Additionally, just to make sure, don't ever used UID as identifier. You should always pass the firebase IdToken to your server and then verify it using the verifyIdToken method.

// idToken comes from the client app
admin.auth().verifyIdToken(idToken).then((decodedToken) => {
    const uid = decodedToken.uid;
    if (!decodedToken.admin) return res.sendStatus(401)
  }).catch((error) => {
    // Handle error
  });

That's the case if you use Firebase Auth SDK.

I'd have spent some time to serve admin dashboard from my own server itself. So when someone attempts to login on admin.domain.tld/login, I'd check if the user with that email is admin. If yes, proceed else don't. E-Mail Link Authentication works perfectly here as there won't be any need for the user to enter the password and the login link (from the Admin SDK on your server) will send the login link only to admins else return an error.

Option #2: Using separate Firebase Projects:

You could use a separate Firebase project for authenticating admins and use Firebase Cloud Functions to fetch data from the primary project. This will involve initializing multiple admin SDK instances so the cloud functions can access both the projects for authenticating admin/access resources from primary project.

Either ways, you'll have to run something in a secure env like Cloud Functions or your own server. Just the client SDKs will be insufficient.

PS: Even if you create a separate project for admins, someone can still use your Firebase project's config to create accounts. So make sure you verify customs claims in that case as well :)

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84