I've stopped to receive emails from Firebase telling me that my realtime database has insecure rules. Here is the beginning of the rules I have set:
{
"rules": {
"aaa":{
".read": "auth != null",
".write": "auth != null",
},
"bbb":{
".read": "auth != null",
".write": "auth != null",
},
//..... rest of the rules.
}
}
Here "aaa" and "bbb" are the nodes I use in my Firebase realtime databse. So you should mention all of yours.
Is this solution suitable?
Your security rules should only allow what your application code does, and nothing more.
So if your code writes directly to aaa and/or bbb and writes whatever data it wants there, then your rules match that.
But typically your code will write data of a specific structure, in which case you should validate that structure with validation rules.
Also: does your code really need to delete or replace the entire aaa and/or bbb node? Or does it only need to append new child nodes to it? Because right now, your rules allow any user to take the configuration from your application and then do firebase.database().ref("aaa").remove() and wipe whatever is under it. Again: if that matches with what your application does, then the rules match that. But... it seem unlikely.
Always try to include User UID for more security.
"aaa":{
"$uid": {
".read": "auth != null && auth.uid === $uid",".write": "auth != null && auth.uid === $uid"
}
}
Related
I have implemented Firebase authentication with Gmail, Facebook,Twitter.
I have successfully logged in firebase, Then i have changed Database Authentication rules to below.
{
"rules": {
".read": false,
".write": false
}
}
In firebase console it is showing login users list but while retrieve data it is showing permission denied. Could you please help me to resolve this issue?
if i change above settings to true i can able to read and write data.
Setting both to false will deny read/write access to all users. You can use the auth syntax in your security rules to identify whether or not a user is logged in.
For example, to allow read/write access for logged in users only your rules would look like -
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
As the name (Database Authentication rules) suggests, these rules are for your Firebase-Database, that who should be allowed to read and write the data on your database and who should not be.
So, in your case, what have you done is- You've set both read and write to false. This means no one will be able to either read or write to your database. And that's what is happening (You're not able to write to the database).
But, when you set both of them to true, then everyone will be able to read and write.
So, if you want everyone to be able to read and write to your database, then your rules will look like this:
{ "rules": {
".read": true,
".write": true"
}}
If you want nobody to be able to read and write to your database, like temporary disabling your website or app:
{ "rules": {
".read": false,
".write": false"
}}
If you want everyone to be able to read your database but want only authenticated members to be able to write to your database like they've purchased the premium account and now they can edit the site, then the rules would be:
{ "rules": {
".read": true,
".write": "auth != null"
}}
If you want only authenticated members to be able to read and write to your database, then the rules would be:
{ "rules": {
".read": "auth != null",
".write": "auth != null"
}}
And if you want to explore more about how this stuff works. Then here is the link to official documentation: Understanding Firebase Database Rules
I have a question for my own sanity. Below is one portion of my firebase rules
{
"rules": {
".read": "auth != null",
".write" : false,
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
"tokens": {
".write": "(newData.val() < data.val())"
}
}
},
...
If I understand correctly the rules state that:
ALL users must be auth'ed in order to read ANY node
ALL user can NOT write to any nodes
Specific to the User node:
In order to read from your own data, you need to be auth'ed and you can only read your own node
In order to write to your own user data, you must be auth'ed and you can only write to your own node
The user/token node can only be decremented and never increased by any user
Can someone confirm my assumptions/understandings reading Firebase security rules documentation.
Also does anyone have any good articles or helpful tips on using the simulator!?
An important concept with the security rules is that read/write rules "cascade" down the tree. This is discussed briefly in the documentation. That means that as you read your rules from top to bottom, the first rule that grants access takes precedence over any rules specified below it on children of that location.
Addressing each of your items:
ALL users must be auth'ed in order to read ANY node (YES)
ALL user can NOT write to any nodes (non-auth'ed users can NOT write to any nodes)
Specific to the User node:
In order to read from your own data, you need to be auth'ed and you can only read your own node (YES)
In order to write to your own user data, you must be auth'ed and you can only write to your own node (YES)
The user/token node can only be decremented and never increased by any user (see below)
In your current rules, the check for smaller token is not effective because the prior rule granting write access to an auth'ed user overrides it. You also need to address the case where there is no existing token value. My suggestion for fixing that is to use a .validate rule. The documentation recommends:
Used once a .write rule has granted access, to ensure that the data
being written conforms to a specific schema.
{
"rules": {
".read": "auth != null",
".write": false,
"users": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid",
"tokens": {
".validate": "!data.exists() || (newData.val() < data.val())"
}
}
}
}
}
As for the Simulator, I don't know of any user guide, but have managed to learn how to use it by experimentation. It's a very effective tool for understand the rules.
Here are a few cases of using the Simulator:
When you open the Simulator, Authenticated is off, which simulates a non-authenticated user. To simulate a read, click on the read button, enter a location: e.g. /users/xyz/tokens, and click on Run. You will see a red X on the lines of the rules that forbid that operation. To simulate an authenticated read, click on the Authenticated button and, for convenience, enter a simple user UID, like "Frank". Now enter location /users/Frank/tokens, click on Run and observe that the read succeeds.
You can do similar tests for writing, entering a location, auth settings and value.
I try to set rules on Firebase, if uid (abc_x) === $account (abc_y), it can read data and everyone can insert,update data. But when i use transaction, it's report "Error: permission_denied"
"countchat":{
"$account": {
".read": "$account === auth.uid",
".write": "auth != null",
}
},
From the documentation:
When using transactions with Security and Firebase Rules in place, be aware that a client needs .read access in addition to .write access in order to perform a transaction.
I use Firebase. Here is what one of my nodes looks like:
--Users
----RandomUID1
----RandomUID2
----RandomUID3
For Rules, this is what I have:
--"users" : {
----".read": "auth != null && !root.child('blockedUsers').hasChild(auth.uid)",
----".write": "auth != null && !root.child('blockedUsers').hasChild(auth.uid)"
--}
What I would like is for reading from the users node to stay the same, but I would like for writing to only be allowed on children of the users node. The reason for this is it would be catastrophic if I accidentally wrote code one night that deleted the entire users node. Is it possible to make a rule so that writing on the node itself is not allowed but writing to child nodes is allowed?
Is there a way to secure myself from such an accident that might occur because of human error?
You can use variables, Firebase variable rules
.At the users node i didn't add a write rule, which doesn't allow for data modification.
"users":{
".read": "auth != null && !root.child('blockedUsers').hasChild(auth.uid)",
"$uid": { //where $uid is child
".read": "auth!==null && auth.uid == $uid",
".write": ""auth!==null && auth.uid === $uid"
}
}
In Firebase security rules how can you stop hackers running a script for signup to your website? bare in mind I need them to be able to signup externally on my homepage so I cannot say they need to be logged in.
I know the basic settings from reading Firebase security documentation but I'm worried its not secure enough, especially if someone new my firebase app url to write or read to the database.
In addition it would be good to know the basics I should have so I can check if I do have those.
Currently I have these settings:
{
"rules": {
"users": {
".read": "auth != null",
".write": true,
".indexOn": ["uid", "region"]
}
}
}
Users can write as I need them to sign up but cannot read unless then are logged in. Also have some indexes for performance reasons.
This is where my knowledge stops.
Thanks in advance!
You want to allow users to write, but only to their own user entry. That's actually easy to do with rules:
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
". write": "auth != null && auth.uid == $uid"
}
}
}
}
This says /user/{$uid} can only be read or written by a user who is signed in, and who's user ID matches the {$uid} part of the path. Take a look at the rules quickstart for more.