This question already has answers here:
how can i restrict access to firestore database to only requests coming from specific domain?
(2 answers)
Closed 1 year ago.
I'm trying to avoid people spoofing my web app in order to gain access to the Firebase backend, specifically the Firestore databases. The logic of the app and the rules I'd have to implement would result in a much higher usage than if I could just restrict access to the domain that the website is hosted on. Is there a way to only allow access to a specific domain?
I think you are looking for Firebase App Check.
App Check helps protect your backend resources from abuse, such as
billing fraud and phishing. It works with both Firebase services and
your own backends to keep your resources safe.
With App Check, devices running your app will use an app or device
attestation provider that attests to one or both of the following:
Requests originate from your authentic app
Requests originate from an authentic, untampered device
Related
More a design question / explore options - I have a Firebase Realtime Database backed project where I have IOT-like devices (ESP32) that periodically measure environmental conditions and stores data in the database, and a flutter app that users use to associate devices with their account, view data and update device settings.
My question is about the best setup for the IOT devices - i currently have them all using a single service account to access the database and insert new readings. I'm concerned this may open up the project to security issues, and that there is no way to restrict security priveledges of a single device.
The other option is to create individual user accounts for every device (each device would have to register themselves with their own unique id). This would then allow every device to be disabled individually and operate through the security rules defined for the database, but lead to a larger number of users in the auth db and more complex iot device code.
Am I missing anything from the above? Has anyone done something similar and can offer some design insight?
i currently have them all using a single service account to access the database and insert new readings.
You should only use a service account in trusted environments, as they have full unrestricted access to your Firebase project. In all other scenarios, consider regular SDKs such as the non-privileged Node.js SDK that is great for using on IoT devices.
This question already has answers here:
Locking down Firebase DB access to specific apps
(2 answers)
Closed 3 months ago.
I have two apps registered in Firebase, say App A and App B. I haven't setup any firebase authentication system but I want to allow requests only from App A and App B. I want to check if the request is coming from my apps and then only perform the actions. If the request is from somewhere else then just reject it.
I want to have this security for Cloud Firestore and Firebase Storage.
Currently, this feature isn't available, some of this will be rolling out in the near future using the new App Check: https://firebase.google.com/docs/app-check
At this time, App check only supports:
Realtime Database
Cloud Storage
Cloud Functions (callable functions)
I think from searching the web this is not technically possible but I want to ask again in case I'm missing something.
I have an app that uses Firebase. Reading and writing is locked down through security rules for authorised users only but there's certain information I want unauthorised users to be able to access (so I don't have to put a login wall in front of them, influencing churn).
What I want to know is, is there any way of locking down this read access that only my app can call the DB? I know I can lock down domains to prevent someone writing localhost scrapers but what's to stop someone cloning and re-skinning an app and pointing it to the same back end? Is it possible to achieve this using your certificates fingerprint?
There is no way to limit access to your database to just your app. That just doesn't match with the cloud-based nature of the Firebase APIs. Anyone that knows the URL of your database can in in principle access it, and security rule are the way to ensure all access is authorized.
Note that security rules are not an all-or-nothing approach: you can require sign-in for some parts of your database, while leaving other parts publicly readable. But you can't make the publicly readable parts only be readable by your own app.
Some previous questions on the same topic:
how to make sure only my own website (clientside code) can talk to Firebase backend? (pretty much my go-to answer for this)
How to allow only my app to access firebase without a login?
Restrict Firebase database access to one Android app
How to allow only my app to access firebase without a login?
Update: since May 2021 you can actually restrict access to just users of your App by implementing Firebase App Check.
I have found a solution that maybe helps you or anyone that have a similar question. I answered it in this question:
Restricting Cloud Firestore to a specific domain
Can we implement Firebase for an android app, where I am registering user using Mobile number (Similar to Whatsapp). Users will be sent a code by server which is entered by user in android app to validate the user mobile number and registering him on the server.
Question : Can I use the above method in conjunction with Firebase Auth?
I was earlier going to use MongoDB for my project, but since Firebase has SYNC capabilities, it will be a better choice for storing data. Another good reason is as below:
If a client loses its network connection, your app will continue
functioning correctly.
Every client connected to a Firebase database maintains its own
internal version of any active data. When data is written, it's
written to this local version first. The Firebase client then
synchronizes that data with the remote database servers and with other
clients on a "best-effort" basis.
Very NEW to Firebase, just came to know about firebase (through Google 2016 IO).
https://firebase.google.com/docs/database/android/save-data
Firebase hosting is not for server side processing.
It stores static assets of your website as a world-class high availability CDN. So websites hosted here loads very fast. Even in high-availability scenarios.
So you have to do processing at other server which then connects with firebase and stores userinfo in realtime database.
Firebase has put limits on userinfo to be placed in directly for users auth dashboard.
For detailed userinfo, firebase realtime db is the way to go(from your processing backend to firebase realtime db).
Further Reading: What kind of web applications are Firebase not ideal for?
I'm not sure if this was answered somewhere in the documentation, but looking at the pricing tells me that Firebase has to work with client connected to the Internet at all times.
I am currently developing an application with Java-backed server and with client side done in GWT (Javascript). The application is meant to be deployed for "corporate" clients - that means in intranets.
Will Firebase be operational in these circumstances?
Well, I guess I should have read into FAQ more thoroughly:
Can I run Firebase on my own servers?
Firebase is a hosted cloud service, so the general answer is “no.” Some customers have very specific needs for where their sensitive data is physically stored and managed, so we may make exceptions. Contact us for more info.