I was wondering how to to secure firebase auth. I plan on using firebase JUST for user authentication (not using firestore or realtime db). Since the API key is exposed on the client, my fear is that a malicious user can find the key and start using it inappropriately. So far I've done the following to try to improve security:
Limit key use to a specific domain
Restrict the key to only be able to use "Identity Toolkit API"
Is there anything else I should do here?
My application should be the only one able to use my credentials to access the Firebase API.
For any app where you access a cloud based API directly from within the client-side application code, that is going to be a myth. The closest you can get within Firebase these days is with App Check, but that isn't available for Authentication calls at the moment.
Part of the reason for this is that the authentication API is quite well protected on its own already, and most abuse will actually not affect you as a developer very much. E.g. (ignoring phone auth) there is no charge for account creation, sign in, and any other operations.
I highly recommend checking:
Is it safe to expose Firebase apiKey to the public?
The documentation on API keys in Firebase.
The documentation on Firebase's security rules, which is how you can protect the Firestore and Realtime databases, and files in Cloud Storage.
The documentation on Firebase App Check, which reduces abuse for Realtime Database, Cloud Storage, Cloud Functions, and Firestore at the moment.
More of these previous questions on allowing only you app to access Firebase
Related
In Apple's iCloud, there's a Private bucket where the user can store data, using an iOS app created by a third party, that no one else, including the iOS app creator, can see.
Is there a similar mechanism in Google Cloud Platform?
First of all, I'm assuming that you intend to read and write this private storage directly from a client app.
If you're using Firebase Authentication to sign in the user on the client, you can use either Firebase Realtime Database or Firestore to store per-user private information. These products do not have an internal sense of dedicated storage for users. What you will have to do is assign that space on your own (perhaps a "users" node in RTDB, or a collection in Firestore), and protect that space with the security rules provided by that database product. The security rules will determine who can read and write what data, based on their Auth identity.
Since you tagged this Firestore, I'll assume you intend to use that. You should read up on security rules to better understand how this works. If you are not using Firebase Auth for end user authentication, this will not be possible, however.
I'm currently using Firebase for an online Android game in Kotlin (school project) to authenticate/register users. We're going to release our first version for testing, and I would like to set a limit of people that are able to sign up with Firebase (20 to be specific). Is this possible? Thank you in advance.
There is no way to limit the number of people that can sign in to Firebase Authentication. All authentication does is allowing you to say (and prove) that "I am Max", and there is no way to restrict in Firebase Authentication who can do that (beyond creating your own custom identity provider).
But you can limit what these users can do in the rest of your app. If you're for example using the Firebase Realtime Database or Cloud Firestore, you'd restrict the users who can access the database with their respective server-side security rules (Realtime Database, Cloud Firestore).
If you have your own backend servers, you'll want to pass the ID token from the user to that server, and verify the token there to allow who can access what resources.
I just deleted my flutter app from firebase console , but it is still working and changing data in the realtime database.
Can anyone tell me how its still connected with the firebase?
Thanks
According to Firebase documentation, when you delete an app:
Corresponding API keys or OAuth clients are NOT deleted. You can clean
up the API keys or OAuth clients in the Google APIs console
credentials page. Deleting these resources will break installed
applications: your users will no longer be able to authenticate or
sign in.
Access to the realtime database is not limited to apps that are registered in the Firebase console. Any code that has the proper configuration for your database, can try to access that database. If you want to be more selective in who can access the database, you will need to do this with Firebase's server-side security rules, typically in combination with Firebase Authentication.
Can somebody else get the Firebase credentials from my APK and use them? Is this prevented by adding the SHA-1 keys for Android?
If it is prevented, what do I need security rules for since only code from my app with my SHA-1 can manipulate database at all?
If it is not prevented, can somebody else use my Firebase database as long as his requests fit the security rules? (Write 2nd client, which actually cannot do bad things but should not be allowed at all.)
Im not sure how I should think about security rules:
A) Protecting data against access and manipulation from bad guys + B?
B) Just a set of rules to keep data in a certain state and prevent my software from doing invalid database request?
A Firebase Database can be accessed via the REST API, or any of the client libraries. The decision about whether a client can or can't do something is entirely based on the rules.
You can even just access the Database URL in a web browser and see a JSON response by putting .json on the end, e.g. https://[YOUR_PROJECT_ID].firebaseio.com/.json
So the answer is definitely B! The default rules in a new Firebase project are that read and write to the database require auth, but you can configure them to provide whatever levels of protection you need.
Take a look at the Database Rules quickstart to see what you can do!
We don't ship the Realtime Database secret (or any other "secret" material) in the json file that gets baked into your app. That file simply contains resource identifiers that allow us to know which resources (database, storage bucket, analytics, etc.) to properly authenticate to (we use Firebase Authentication for these purposes), and we handle server side authorization to ensure that users are properly logged in.
If you are authorizing your requests properly (using Firebase Realtime Database Rules, for instance), your data is secure!
I'd recommend watching The Key to Firebase Security, one of our I/O talks, which talks in greater detail about how this works.
firebaser here
Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to your Realtime Database to only those coming from iOS, Android and Web apps that are registered in your Firebase project.
You'll typically want to combine this with the user authentication based security that Mike and Ian describe in their answers, so that you have another shield against abusive users that do use your app.
I'm looking into using Firebase for a project that's otherwise a static site with js. Is it possible to secure the connection to the database in a static site? Wouldn't all security rules, the end point url, etc all be exposed in the js code letting the user make any requests they want (good or bad).
The short answer is yes: by authenticating your users and writing security rules, you can fully restrict read / write access to your Firebase data.
In a nutshell, Firebase security is enforced by server-side rules, that you author, and govern read or write access to given paths in your Firebase data tree.
Firebase security rules are JavaScript-like expressions: easy-to-write expressions that have access to the credentials for the connection, and the view of the Firebase data tree as it exists, along with pending changes on write.
In most cases, your client-side logic, templates, assets, etc. will be static and public. What you're really looking to secure is user and application data, and this is where Firebase Authentication (whether using custom Firebase authentication tokens or Firebase Simple Login) comes in. Firebase Authentication is essentially token generation - taking confirmed, identifiable user data and passing it securely to Firebase so that it cannot be spoofed. This confirmed credential data is then made available in your security rules.
Check out https://stackoverflow.com/a/20842986/879295 for an example, and the Firebase Security Quickstart Video for a great overview / starting point.