Hi Ani, I already have firebase database rules but I am only worried about the security of Google App Engine and Cloud Endpoints side. I am wondering is it really this simple to achieve security. I get the ID token of the user in my API running on google app engine. Than I use admin privileges to get info of that user ID I extracted from the token. I need to make sure that userID cannot be manipulated in the token. Can I be sure that the id I extract from the token is safe?
On Monday, April 30, 2018 at 8:46:02 AM UTC-4, Ani Hatzis wrote: > > Hi Deniz, > > >> allow users to get information about their account >> > > Is the only data shown to the user the information that has been extracted > from the current user's ID token? > > Or do you store additional custom user information that your endpoints > will show to the current user, e.g. their user profile? If you have more > user-related data in Firebase than what is already managed by Firebase Auth > (in Firebase Users), you might (as usual) need rules in FB to prevent > reading/writing other users' custom data in Realtime Database (or Cloud > Firestore). In Firebase, all authenticated users can read/write the entire > database by default, unless you setup rules to restrict access. And the > access works outside of your App Engine app, so you would need the FB rules > as additional protection when clients access FB directly. > > Ani > > > On Sunday, April 29, 2018 at 6:19:05 PM UTC+2, Deniz Yazar wrote: >> >> I am developing a web service(server) for my web application to allow >> users to get information about their account. After looking at every >> amazing Google Cloud product, I am thinking of doing the following to have >> a secure server on Google Cloud: >> >> 1. Having clients login with Firebase Auth on web app >> 2. Add security specifications in Cloud Endpoints to allow only >> firebase logged in users to access* specific paths (*running on a >> node.js server on Google App Engine) >> 3. Extract the ID token received on the server by decoding it to >> return users only their data >> - Is simply having firebase security rules in the openAPI file in >> Cloud Endpoints enough to make sure only users logged in can access >> their >> *own* data? >> >> I'm also limiting access to some paths for service accounts, after making >> that security rule in Cloud Endpoints, isn't there really anything else to >> do to make sure the system is secure. Is it really this easy to achieve a >> secure system? After this point, is it just my google account's security >> thats left to protect? >> > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/b06e1682-ca86-44a5-8edf-eae6cefcadd9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
