From 03d2903e5706b00c5fc8f794d333dc6e0fcf1731 Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 12 May 2021 13:05:41 -0400 Subject: [PATCH 1/3] Validate user is verified on auth state changed --- firestore.rules | 26 ++++++++++++++------------ src/router.ts | 15 +++++++++++++++ 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/firestore.rules b/firestore.rules index 2b251c0..a099a49 100644 --- a/firestore.rules +++ b/firestore.rules @@ -4,45 +4,47 @@ service cloud.firestore { function isSignedIn() { return (request.auth != null) && (request.auth.token.firebase.sign_in_provider == "google.com"); } - + // check that email ends with correct domain function containsDomain() { return request.auth.token.email.matches('.*@n2ntompkins[.]org'); } - + // check for staff role associated with uid...needs testing function isStaff() { return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "staff"; } - + // check for driver role associated with uid function isDriver() { return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "driver"; } - + // anyone signed in & with email domain can read (ADD DOMAIN BACK!!!) match /{document=**} { - allow read: if isSignedIn(); + allow read: if isSignedIn(); } - + // only driver can update furniture items; only staff can delete/add items match /furniture/{document=**} { allow update: if isSignedIn() && isVolunteer(); allow write: if isSignedIn() && isStaff(); } - + // only staff can edit pending/rejected items match /pending/{document=**} { allow write: if isSignedIn() && isStaff(); } - + match /rejected/{document=**} { allow write: if isSignedIn() && isStaff(); } - - // TESTING PURPOSES ONLY; MUST BE DELETED - match /formTest/{document=**} { - allow read,write; + + // anyone can read users database to validate accounts + // TODO: make this private + match /users/{document=**} { + allow read: if isSignedIn() } + } } \ No newline at end of file diff --git a/src/router.ts b/src/router.ts index 97524fe..65df66d 100644 --- a/src/router.ts +++ b/src/router.ts @@ -17,6 +17,21 @@ const router = new Router({ beforeEnter(to, from, next): void { firebase.auth().onAuthStateChanged((user) => { if (user) { + firebase + .firestore() + .collection("users") + .doc(user?.uid) + .get() + .then((doc) => { + if (!doc.exists) { + console.warn("Invalid permissions"); + firebase.auth().signOut(); + next(); + } + }) + .catch((err) => { + console.error(`Something went wrong: ${err}`); + }); next("/home"); } else { next(); From 493083798ac88774f61d2c7a4a8bb95b41f91702 Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 12 May 2021 13:05:54 -0400 Subject: [PATCH 2/3] Update gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index a083747..dba91a6 100644 --- a/.gitignore +++ b/.gitignore @@ -25,5 +25,6 @@ yarn-error.log* *.cache .firebase/** firebase.json +credentials.json .env* \ No newline at end of file From 803996711c092c21c57472f1c9d31d6de931ae2c Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 12 May 2021 13:15:49 -0400 Subject: [PATCH 3/3] Prevent navigation to home while fetching users --- src/router.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/router.ts b/src/router.ts index 65df66d..8e6b246 100644 --- a/src/router.ts +++ b/src/router.ts @@ -23,7 +23,9 @@ const router = new Router({ .doc(user?.uid) .get() .then((doc) => { - if (!doc.exists) { + if (doc.exists) { + next("/home"); + } else { console.warn("Invalid permissions"); firebase.auth().signOut(); next(); @@ -32,7 +34,6 @@ const router = new Router({ .catch((err) => { console.error(`Something went wrong: ${err}`); }); - next("/home"); } else { next(); }