My database has due to expire in two days because of rules security. I changed the default test rules yesterday, it is possible that they have not yet been noted, but to make sure they are sufficient to keep my database from expiring, I am asking you about it. Are these rules ok? Is it all to prevent the database from expiring?
Firestore database -> Cloud Firestore rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if
request.auth.uid != null;
}
}
}
Realtime Database rules:
{
"rules": {
"Users": {
"$uid": {
".read": "$uid === auth.uid && auth != null",
".write": "$uid === auth.uid && auth != null",
}
}
}
}
The rules you show don't have an expiration date, so data access won't change based on the date anymore. Whether they're "OK" is a different matter though.
The Realtime Database rules you show give each user access to only their own data, which is a common practice and shown in the Firebase documentation on content-owner only access.
The rules you're showing for Firestore though, give access to anyone who successfully called the Firebase API to sign in, which is a much less strict requirement. If you use Firestore, I recommend also tightening the security there. And if you don't use Firestore, I recommend turning all access off with allow read, write: if false;
Related
I have 2 apps (admin and clients) using the same firebase database, first configure the admin app, then from the "project configuration" create the clients app in "Add another app".
service cloud.firestore {
match /databases/{database}/documents {
match /clients/{document=**} {
allow read, write: if true;
}
match /payments/{document=**} {
allow read, write: if true;
}
}
}
Without setting firebase rules (like the ones indicated above), the 2 apps work fine, I can read, edit, create and authenticate users. The problem happens when I start to set basic rules:
service cloud.firestore {
match /databases/{database}/documents {
match /clients/{document=**} {
allow read, write: if request.auth != null;
}
match /payments/{document=**} {
allow read, write: if request.auth != null;
}
}
}
with these rules it works fine in the admin app, but in the clients app it shows an error: ERROR FirebaseError: Missing or insufficient permissions; and does not allow read or write to the database.
It seems you are using the syntax for Firestore Security rules in realtime database. I am assuming you want to run 2 apps on a single database and want to have different security rules for both. You need to separate the apps data in their own node to do so. Then you can try the following rules:
{
"rules": {
"app1": {
".read": "auth != null",
".write": "auth != null"
},
"app2": {
".read": true,
".write": true
}
}
}
Now data of both app1 and app2 will have separate security rules. Just make sure the data is in relevant node.
I am working on the app that I need to connect to the dev firebase.
This firebase has database rules as follows:
"rules": {
// no read access at root level
".read": "auth.uid === 'emailaddressgmailcom'",
".write": false,
What I cannot understand is how auth.uid is specified to be an exact email address?
As far as I tried I only get unique uid provided by Google. (set of numbers and letters)
Hence I can never pass the auth to read from the database, unless I specify my exact uid given by Google in the databse rules, which is not an option because there will be another user who needs an access to db and I do not know his uid.
auth is one of the predefined variables.
By doing auth.uid, you get the user id ("guaranteed to be unique across all providers").
You need, in your Security Rules to use it to defined the access rights of a given user to one or more given resources, as explained here in the doc.
You could compare it to a fixed value, if a certain resource shall be read by a unique user:
".read": "auth.uid === 'HGH656675FHGFGHF3454'"
but usually you compare it to some parts of the path of the node/resource you want to protect, like for example:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
This is how you should do to solve your problem "there will be another user who needs an access to db and I do not know his uid".
I would suggest you read the entire section about RTDB Security Rules form more details: https://firebase.google.com/docs/database/security
Please try below rules
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
I am new to firebase and I am trying the firebase database rule and firebase auth.
I trying to use the firebase auth for firebase database rule.
So I have create a demo email to test this the database rule.
email : abc#gmail.com
uid : WfipZwUuNvTIkRYvPxsFqzd1rag2
My database rule (followed the firebase site) https://firebase.google.com/docs/database/security/user-security
Firebase Database Rule :
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id == auth.uid",
".read" : "$user_id == auth.uid"
}
}
}
}
I have tried to use the simulator for the database rule with the below custom payload with authenticated and couldn't access the read or write.
Payload :
{
"provider": "password",
"uid": "WfipZwUuNvTIkRYvPxsFqzd1rag2"
}
So what am I missing in this point?
Updates
What I need is use the firebase authenticate email to give a read and write access to the database.
I am currently trying on the firebase database rule simulator.
I keep getting access denied. So maybe is my payload is not right for the authentication. Need HELP!!!
i tried the rules that you specified in ths simulator and i got simulated write allowed the only difference is i didn't use the uid that you specified.
See Below Images for result
As per documentation you should implement:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid",
".read" : "$user_id === auth.uid"
}
}
}
}
Notice you should implement '===' instead of '=='
The above implementation will allow only user WfipZwUuNvTIkRYvPxsFqzd1rag2 to read and write on that specific location "/users/{user_id}"
Updates
I tested and it works this time. Last time i tried the rule did not work that is very weird.
Ok, I assume the simulator's authenticated means if any of my firebase auth user is logged in.
So, my path and my rules have problems during the test and is not my payload
If I want to allow the database access by the firebase auth user then my rule should be like this (I presume).
Rule: for fire base auth to access the whole database with read and write permission.
{
"rules": {
".write": "auth.uid != null",
".read" : "auth.uid != null"
}
}
Thanks #d.mares and #MuruGan
Where does the service element get put in a database.rules.json file used by the firebase client, which is:
{
"rules": {
".read": "auth != null",
".write": "auth != null",
}
}
I'm assuming the above applies to both Cloud Firestore and real time database?
I have a Cloud Firestore rule I'd like to keep in the json file so that it can be source controlled and deployed automatically. Here's the rule as shown in firestore:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
match /photos {
allow read, write: if request.auth != null;
}
match /users/{user} {
allow read: if request.auth != null;
allow write: if request.auth.uid == user.id)
}
}
}
How do I update my database.rules.json file to start to keep it in sync? Do I need to add a cloud.firestore element under rules? Where does it go? Are firestore rules kept in a completely separate file?
I think you have to put these rules in a separate file named firestore.rules.
The first set of rules (i.e. the ones in database.rules.json) in only for the Real Time Database.
Firebase Realtime Database security rules are completely different than Cloud Firestore security rules. You can't have one file for both, and there is no automated process to keep them in sync, whatever that means for you. When you run firebase init, tell it that you want to init both Realtime Database and Firestore, and it will suggest names of different files for the rules.
Firebase - How to set security rules so that only logged in users can read and write for a specific table?
For the logins I'm using firebase built in authentication.
You can check on the auth variable
{
"rules": {
"posts": {
"$post_id": {
".write": "auth != null"
}
}
}
}
Check out the Firebase Security Guide for more information.
Also, you may want to check out the Bolt compiler.
by changing the rules as follows
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}