Hi Deniz, > allow users to get information about their account >
Is the only data shown to the user the information that has been extracted from the current user's ID token? Or do you store additional custom user information that your endpoints will show to the current user, e.g. their user profile? If you have more user-related data in Firebase than what is already managed by Firebase Auth (in Firebase Users), you might (as usual) need rules in FB to prevent reading/writing other users' custom data in Realtime Database (or Cloud Firestore). In Firebase, all authenticated users can read/write the entire database by default, unless you setup rules to restrict access. And the access works outside of your App Engine app, so you would need the FB rules as additional protection when clients access FB directly. Ani On Sunday, April 29, 2018 at 6:19:05 PM UTC+2, Deniz Yazar wrote: > > I am developing a web service(server) for my web application to allow > users to get information about their account. After looking at every > amazing Google Cloud product, I am thinking of doing the following to have > a secure server on Google Cloud: > > 1. Having clients login with Firebase Auth on web app > 2. Add security specifications in Cloud Endpoints to allow only > firebase logged in users to access* specific paths (*running on a > node.js server on Google App Engine) > 3. Extract the ID token received on the server by decoding it to > return users only their data > - Is simply having firebase security rules in the openAPI file in > Cloud Endpoints enough to make sure only users logged in can access > their > *own* data? > > I'm also limiting access to some paths for service accounts, after making > that security rule in Cloud Endpoints, isn't there really anything else to > do to make sure the system is secure. Is it really this easy to achieve a > secure system? After this point, is it just my google account's security > thats left to protect? > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/b263aa45-fa93-4624-87db-766333bd991d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
