Closed botmane closed 6 years ago
Currently, we don't expose any hash functions in rules, please file a feature request here if you have a use case for this.
This isn't really related to bolt, but just whatever functions are available in Firebase Database Rules, so I'm going to close this out (but we got your feature request, so thanks!)
@rockwotj I kind of have a use case for the same. Is there a link where I can check the current status of this feature request?
Sadly, we don't have a public issue tracker or anything available for you to track @justi-n
@botmane @justi-n Can you explain what your use cases are?
/cc @scottcrossen @ryanpbrewster
Hi! hashing.md5(request.auth.uid.toUtf8()).toBase64() == "foo"
is what you want.
Sorry it wasn't available when @rockwotj responded. I just went-ahead and implemented it and forgot to respond.
Note this works in Firestore and Storage security rules, not Realtime Database Rules
This is great. Any possibility this can be extended to a keyed hash (HMAC-SHA*) or something like that? I have a use case where I need to do a one way keyed hash on a random string. The use case is this. A user creates a firestore document. The user's uid is stored in an adminId field of the document. So the database rules restrict write access to only the user with the uid = adminId. Now I have a case where the admin has to grant write access to an anonymous login user to this (and only this document). My thought was that the admin would generate a keyed one-way hash using a secret string and write the key to the document along with the hash to the secret string. The secret string would be distributed securely (between the two parties) to the user who will be granted write access. The user logs in anonymously and reads the key from the document (along with other contents as the document can be read). In order to make changes to the document, there will be another field to enter the secret string. If entered correctly when the user attempts to make changes, the security rules will determine that the uid of the user does not match the adminId, so it will check the secret string field and compute the hash using the key in the document. If the hash matches the hash also in the document, the document write succeeds. Please let me know if there's a way this could be implemented within the security rules or if there's another way to do this? I assume since you have md5 already adding an HMAC-md5 with a key parameter wouldn't be that big a stretch?
An example that works:
Rule:
match /doc/{userID} {
allow read, write: if hashing.md5(request.auth.uid.toUtf8()).toHexString() == userID;
}
Dart: (similar in your programming language of choice)
String hashUid(String uid) => md5
.convert(uid)
.toString()
.toUpperCase();
Hello,
I would like to create a custom security rule where I check if md5Hash(auth.uid) === "foo". Is there any way to do it using bolt?
Thanks,