I am writing an app using Firebase Realtime Database.
With the app, you can create votings, which can then be shared with anybody.
I use Firebase anonymous authentication.
I do not want users to need to register or login. So the votings are completely anonymous.
The Realtime Database has the following rules:
"rules": {
".read": "auth.uid != null",
".write": "auth.uid != null",
}
}
As far a I understand this means, only people using my app, which created the anonymous ID for them, are able to read and write the database, right?
Or would there be any other way somebody can access the database without using the app?
The auth.uid != null rule requires that the user is signed in to your project. It has nothing to do with whether they are using your app to do so.
Anyone can find the configuration data in your app, use that to call the same API that your app calls, create a user in your project that way, and then run whatever code they want (including deleting the root of your database).
To properly secure your database, you'll have to ensure the rules allow exactly what your code does and nothing more. This is typically easiest if you developer the rules hand-in-hand with the code of your app, instead of trying to add security after all the code works.
My recipe is usually:
Close off the database entirely.
Write code for one use-case.
See it fail, as the user doesn't have permission.
Change the rules to allow only that use-case, but nothing else.
Go back to step 2 for the next use-case.
A new option is to use Firebase App Check, which does reduce the chances of abuse by only allowing access from your app(s). You'll typically want to use App Check for broad protection, and then use security rules for fine grained control over who can access what data.
Related
hi i'm working with angular and firebase, in a web app, if i open the browser tools on console, i can see the connection keys to my firebase it's very bad.
the rules in firebase is the solution at this problem. but all answers i found are based on auth of users and on my web app is not necesary auth. how i can set rules so that only my web app can read and write without users auth. because if i create another projec and i use the same keys i can map the database and anyone can update the data thanks
p.d. my rules actually are read=true and write=true, this allows anyone to read and write.
{
"rules": {
".read": "true != null",
".write": "true != null"
}
}
P.d. my web app is hosted in Firebase Hosting thanks again
This is not possible with security rules. If you don't restrict usage with Firebase Authentication, that means anyone with an internet connection can read and write your database.
I am curious if an user is able to write any data to the key they have writing permissions to. Ofcourse, normally this is done by authentication by the app they are using. But how well is it protected? If I am connected to my wifi I could use tamper data to change the network activities being send.
As stated here: Does firebase encrypt data with a unique key per account? It says that the data is encrypted before writing to the database. This however does not include changing the value's of the keys when the keys are not "arrived" at Firebase.
Is it possible to change the value's from monitoring the network activities, like tamper data?
Also, let's say these are some rules:
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
Is there any way a user could authenticate himself in any other way than using my app? How easy can a authenticated user change value's directly in the database, if he got write rules?
Thank you
In your provided rules, a user would be able to write arbitrary data to the node corresponding to their own uid, which can only be obtained via signing in with a form of Firebase Authentication (including minting a custom token server-side using the Firebase Admin SDKs).
100% of Firebase Realtime Database traffic is sent over TLS-encrypted connections. There is no way to man-in-the-middle this traffic and change it in flight.
You can trust Firebase Database Security Rules to do their job, but it is up to you to write robust rules that adequately protect data for your given application use cases. I'd recommend making use of .validate rules for structure and fine-grained .write rules everywhere. Another important tip to remember is that authorization is hierarchical. Once a .write rule is matched by a client all children of that node can be written by that client.
I am using the Simple Login Email / Password Authentication functionality of Firebase.
I would like to manage users through Forge only. I don't want users to be created via the client app.
However I would still like to let them login/logout though.
Is this possible?
You can't prevent users from being created on the client using simple login. There are two options you can utilize instead:
Simple Login "accounts" are really just tokens
Simple Login is just a convenience wrapper that creates Firebase tokens. There is no limit on how many accounts can be stored and they have no affect on your Firebase usage. With this in mind, there's really no reason you need to restrict creation of accounts.
Instead, just utilize security rules to control access to data. When an admin creates an account, have them also add a profile into the data. If only an admin in Forge is allowed to create the profile, then someone could create an account, but it would be superfluous and pointless, since all it does is give them an inert token.
A security rule to enforce access to data:
".write": "root.child('valid_account/'+auth.uid).exists()"
A security rule that allows users to edit their profile but only Forge (admin: true) to create them:
"profiles": {
"$uid": {
".write": "data.exists() && auth.uid === $uid && newData.exists()"
}
}
Creating your own tokens allows complete control
If you're terribly OCD and don't like that approach, then you can cut out Simple Login. As stated previously, it just creates tokens on your behalf. So simply create your own.
In this way you have complete control over account creation and token generation.
I am using the Simple Login Email / Password Authentication functionality of Firebase.
I would like to manage users through Forge only. I don't want users to be created via the client app.
However I would still like to let them login/logout though.
Is this possible?
You can't prevent users from being created on the client using simple login. There are two options you can utilize instead:
Simple Login "accounts" are really just tokens
Simple Login is just a convenience wrapper that creates Firebase tokens. There is no limit on how many accounts can be stored and they have no affect on your Firebase usage. With this in mind, there's really no reason you need to restrict creation of accounts.
Instead, just utilize security rules to control access to data. When an admin creates an account, have them also add a profile into the data. If only an admin in Forge is allowed to create the profile, then someone could create an account, but it would be superfluous and pointless, since all it does is give them an inert token.
A security rule to enforce access to data:
".write": "root.child('valid_account/'+auth.uid).exists()"
A security rule that allows users to edit their profile but only Forge (admin: true) to create them:
"profiles": {
"$uid": {
".write": "data.exists() && auth.uid === $uid && newData.exists()"
}
}
Creating your own tokens allows complete control
If you're terribly OCD and don't like that approach, then you can cut out Simple Login. As stated previously, it just creates tokens on your behalf. So simply create your own.
In this way you have complete control over account creation and token generation.
I'm new to Firebase and I'm attempting to set-up a simple authentication system using e-mail/password. The initial concept is simple: you register. Then, after logging in, you can access the rest of the mobile app.
In the past, I could set this up with PHP in just a few minutes. But with Firebase, this has become a battle that I can't seem to win.
Using the light documentation found on Firebase's site, I was finally able to successfully register and authenticate a user. Great.
Unfortunately, people can still access the rest of the app whether they are logged in or not. How do I keep the app protected from non-authenticated users?
Also, how do I associated data submitted on a page with an authenticated user?
I've looked at Firebase's documentation. It lacks practical examples for authentication. It keeps referring me to the Firefeed app as a sample. I've looked at Firefeed's code and the authentication system seems 1) excessively complicated for a login system and 2) too intricately tied in to news feeds to be a practical example to learn from.
On the other hand, perhaps I'm just missing something obvious and fundamental. If someone could point me in the right direction, that would be great. Thanks! :-)
(By the way, I tried e-mailing this question to firebase-talk#googlegroups.com, as suggested on Firebase's site... but the group does not appear to exist, according to the bounce-back message from Google.)
Stepping back for a moment, it's worth noting that Firebase Simple Login is an abstraction built on top of Firebase Custom Login for convenience. You can still use your existing authentication with Firebase using Custom Login, if you like.
Firebase Simple Login eliminates the need for you to run a server just for authentication. However, there is no 1-to-1 parallel to the PHP example where the server would govern request access based upon a detected session on the server because all of your logic, templates, etc. lives in client-side code.
In most cases, your client-side logic, templates, assets, etc. will be static and public. What you're really looking to secure is user and application data, and this is where Firebase Authentication (whether using Simple Login or Custom Login) comes in. Firebase Authentication is essentially token generation - taking confirmed, identifiable user data and passing it securely to Firebase so that it cannot be spoofed.
Read / write access to different paths in your Firebase data tree is governed by Firebase Security Rules, which allow you to write JavaScript-like expressions to control which clients can access which data.
Here's an example:
Suppose you have a user list, where each user is keyed by user id,
such as /users/<user-id>/<data>, and you want to ensure that only
the logged in user can read / write their own data. With Simple Login,
this is really easy!
Looking at the After
Authenticating
section of Email / Password authentication docs, we see that the
auth variable in our security rules will contain a number of fields
after authenticating, including id, the user's unique user id. Now
we can write our security rules:
{
"rules": {
".read": false,
".write": false,
"users": {
"$userid": {
".read": "auth != null && auth.uid == $userid",
".write": "auth != null && auth.uid == $userid"
}
}
}
}
What's going on here? Firebase Authentication (using Simple Login)
securely generated a token containing your verified user data upon
login, and that token data becomes available in your security rules
via the auth variable for the connection. Now, in order for a client
connection to read or write to /users/xyz, the user must be
authenticated and authenticated as user xyz.
Most of the above is covered in the Security Quickstart but it is admittedly a little hard to wrap your head around.
Back to your initial question, if you want to redirect away from certain paths when a user is not authenticated, you can do the following:
var ref = new Firebase(...);
var auth = new FirebaseSimpleLogin(ref, function(error, user) {
if (!user) {
// we're logged out, so redirect to somewhere else
} else {
// we're logged in! proceed as normal
}
});
Hope that helps!
Please note:
Login is now a core feature of Firebase. Simple Login has been
deprecated and documentation for this client is now available on
Github.
See this page for more info:
https://www.firebase.com/docs/web/guide/user-auth.html