This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Closed 1 year ago.
In my Flutter web app, the credentials to access the Firebase backend are set in index.html and anyone who clicks "view source" can see them.
What's to stop someone from using that to spoof the client and get access to the Firestore database with their own code instead of the client that's meant to access it?
You will always have to leave a way for users to access your database - and thus also giving them some way to locate your database. You should write secure firestore security rules to govern the usage of your database. Users will always be able to access your database through other means than your front end. After all, your front end is just a portal for displaying the data in a user-friendly way. By however adding security rules you can limit the usage of your database to how it is intended.
Related
Im developing a solution where I have data stored on firestore. On the other side I have react based website which reads this data.
Today I "authenticate" the solution in my test with in the backend a firebase config and that they enter a uniqID in the URL. So example: company.com/display/asdkjlasdjkl239023. I then do simple firestoreConnect where I add the ID as where clause. Right now my firestore rules are just open for all. But for production this dosen't seems so secure.
In theory I guess I would want some typ of authentication when the device first loads. Maybe a pin code would be good (email/password etc is to long). Then there would be a rule only allowing this connection to read what they are supposed to read nothing else.
Im trying to figure out how this could be solved but don't have any good idea. I figured somebody must have built something similar before :)
You can use Firebase Authentication phone Auth to verify a user based on their phone number, easier than email/password. You can even create your custom authentication inside Firebase Auth.
To secure your firestore or real time database, you need to use and understand Firebase Security Rules you can write security rules which will block the user from accessing other files that they aren't suppose to (which are ofc decided by you).
This question already has answers here:
Firebase Android - Only need specific table to be in local device
(1 answer)
How to limit Firebase database persistence store to only some nodes?
(1 answer)
Closed 2 years ago.
I'm working on a project where I'm using Firebase realtime database as my database. Most of my information will be online, but I want to keep some folders offline. As the documentation says, if I write
FirebaseDatabase.getInstance().setPersistenceEnabled(true)
Any data that I sync from database will be cached, but that's not the behaviour that I want.
Let's say that I have an app where user can create a lists with games
I have 2 folders on my DB root: games and userLists.
In my app I get all games from "games" folder, let the user choose some of them and save under:
userLists/(userId)/(listName).
If I "setPersistenceEnable" as true, all data sync will be kept offline, including games from "game" folder.
I want to keep only the folders under userLists/(userId)/ offline.
Is there anyway to achieve this behaviour?
It's not possible using a simple configuration. Using the provided API in the default setup, you can either choose to persist any of the data that you get from queries, or you choose not to persist anything at all.
If you need to persist only certain data, you will have to either:
Disable persistence, and arrange to persist only certain data on your own (perhaps in a sqlite database)
Enable persistence, but only use it for certain queries. Other queries can go through a different instance of a FirebaseApp where persistence is disabled, or use the REST API directly.
This question already has answers here:
Is it acceptable to leave a database (Cloud Firestore) unsecured when no site login is required?
(2 answers)
Closed 3 years ago.
I am working with log-in log-out management, and it turns out that it's quite important to use the FirebaseAuth for all operations. But since only I have the service account key and only I can alter how the app is working, I'm wondering how someone can read or write in my database other than what I've programmatically given to them within the app. Can someone help explaining this to me? I would be really glad.
If your security rules allow access to unauthenticated users, then anyone with an internet connection will be able to read and write the entire contents of your database. It will be especially easy with the Firestore REST API.
A judgement of how "bad" that is for your project is entirely up to you to determine.
This question already has an answer here:
Firebase custom domain name for database
(1 answer)
Closed 4 years ago.
Let say i have a firebase db at https://vivid-fire-id.firebaseio.com/.
So the browser will try to connect to vivid-fire-id.firebaseio.com particular domain.
Is there way to add a custom domain from which the db is accessed from?
For eg: https://firebase.mydomain.com
This is required to make sure that firewalls do not create problem while access our application.
api gateway can be one of possible solution. Google search reveals lot of info on api gateways
Treat firebase as a microservice.
This question already has answers here:
How do I return a list of users if I use the Firebase simple username & password authentication
(7 answers)
Closed 7 years ago.
I am using simple email/password combination to authenticate users in Firebase. Is there a way to expose users' registration details like email or account creation date by the standard REST API or any other library (preferably React.js with ReactFire or Re-base)?
For example, I want to be able to get a list of all registered users or pass a UID to a query and retrieve email address or creation date. I know I can achieve this by storing the needed user details in my custom data store under the user UID for example, but I am looking to access the original data and not my own copy of it. I also understand that exposing such details might not be a recommended practice as it causes a security risk, but I still want to explore the possibility of achieving this.
Firebase does not expose that data through any API. Like you've said, the only option is for you to store that data in your Firebase instance, and then query it there.