This question already has answers here:
Locking down Firebase DB access to specific apps
(2 answers)
Closed 3 months ago.
I have two apps registered in Firebase, say App A and App B. I haven't setup any firebase authentication system but I want to allow requests only from App A and App B. I want to check if the request is coming from my apps and then only perform the actions. If the request is from somewhere else then just reject it.
I want to have this security for Cloud Firestore and Firebase Storage.
Currently, this feature isn't available, some of this will be rolling out in the near future using the new App Check: https://firebase.google.com/docs/app-check
At this time, App check only supports:
Realtime Database
Cloud Storage
Cloud Functions (callable functions)
Related
This question already has an answer here:
Does Firebase JavaScript API catch-up with server when re-connected
(1 answer)
Closed last year.
I have a web app that uses a Realtime Database to store data. If I go offline while the database is connected, make changes, and reconnect, everything works as intended. However, I'm trying to make my web app work as a PWA. Right now, the database only works offline if the page goes online while being used. If you close the app fully while offline and open the app, it won't load.
I see that Cloud Firestore for web has the enableIndexedDbPersistence() method, which appears to do what I want, although obviously since it's for a different service I can't use it. I also see that Realtime Database for Android has FirebaseDatabase.getInstance().setPersistenceEnabled(true), but since its for Android I can't use it for a web app.
Is there a way to enable this functionality?
Firebase Realtime Database only supports disk persistence in its Android and iOS SDKs. There is no disk persistence in the JavaScript SDK for Firebase Realtime Database.
Also see:
Does Firebase JavaScript API catch-up with server when re-connected
This question already has answers here:
how can i restrict access to firestore database to only requests coming from specific domain?
(2 answers)
Closed 1 year ago.
I'm trying to avoid people spoofing my web app in order to gain access to the Firebase backend, specifically the Firestore databases. The logic of the app and the rules I'd have to implement would result in a much higher usage than if I could just restrict access to the domain that the website is hosted on. Is there a way to only allow access to a specific domain?
I think you are looking for Firebase App Check.
App Check helps protect your backend resources from abuse, such as
billing fraud and phishing. It works with both Firebase services and
your own backends to keep your resources safe.
With App Check, devices running your app will use an app or device
attestation provider that attests to one or both of the following:
Requests originate from your authentic app
Requests originate from an authentic, untampered device
This question already has an answer here:
How can I rent and use my own servers for cloud functions? [closed]
(1 answer)
Closed 1 year ago.
The cloud function in firebase needs you to enable the billing plan.
Can I use cloud functions on my own Nodejs server and access the events by installing npm install firebase-functions without enable cloud functions on firebase?
No. You can only use the Firebase Functions Emulator to test your functions locally (you cannot deploy to Firebase unless you enable billing). Self-hosting a server is different and using server-less Cloud functions and may not be as easy to scale like Cloud functions do.
The events (like Firestore triggers) that you are referring to can be used to trigger Cloud functions only. If you host your server on your server then it'll be best to route all the operations through it. For example, if you wanted to trigger a function when a new document is added to Firestore, instead of creating the document directly from client make a request to your server and add the document using Admin SDK and process anything else at the same time.
This question already has answers here:
Check whether there is an Internet connection available on Flutter app
(27 answers)
Closed 2 years ago.
I'm using flutter with firebase, how can I know if my device is connected to the internet or not when I wanna make a query to firestore? if my device is offline what will firestore return ?, I must detect the device connectivity situation, so I can emit a certain state in my app.
The Firestore SDK doesn't provide any way to know if the app is offline. The SDK was designed to work while offline. So, if you perform a query while offline, you will either get cached results, or the query will silently retry in the background.
If you want to test for connectivity, you will need try another method to do that. Or, you could use the Firestore REST API (not the Flutter SDK) and detect if the query failed due to network problems.
This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Should I hide firebase api keys into backend? Not due to data security but project cloning issue
(2 answers)
Closed 2 years ago.
I have been messing around with Firebase in a web app and realized there's something I don't understand.
In order for the JS code to send data to the Firebase servers, your apiKey has to be in the JS. But then that means your API key is public, and anyone using your website can inspect the code and just send arbitrary commands to Firebase on your behalf from the dev tools, or from any other site now that they have the API key.
I know I must be missing something, since this would make Firebase not useful. What is it I'm missing? What prevents users from sending arbitrary commands to Firebase with your ApiKey?