This image shows the Authentication for my Firebase Database Security: Authentication
I only allow Email/Password Sign-in method, everything else is disabled.
I don't allow my users to sign in manually.
My Android app logs in via code and it uses just one set of Email/Password:
My question is how come I am still getting this warning: Warning
I've followed thru the enter link description here but this sample uses Google sign-in method. And all the other samples or discussion I've read use the same method. Has anyone here tried Email/Password Sign-in Method? Thanks!
That authentication and the firebase realtime database are different things. Your authentication method doesn't control who has access to that database.
This means that anyone who has access to the keys, will be able to access your db. So if your client app (Android / ios / web app) access the database directly, your users will be able to do that too.
To secure it you need to use specific read/write rules. Your best explanation will be from their documentation which can be found here https://firebase.google.com/docs/database/security
Related
I am using Firebase Auth to authenticate users using the Email/Password Method. Sometimes I detect spam users that create a lot of accounts from one IP address. I want to block them to protect my app.
I know that there is a method called "Disable User Account" in Firebase Console. I want to use it in my project.
I searched in Stack Overflow as well as the Firebase Docs and found that this only can be done in Admin SDK but I want to use it in the Firebase Web JS SDK. So is there a method to do that like user.DisableAccount?
There is no method to disable a specific user's account in the client-side Firebase SDKs, as that would be a security risk.
But if you look at the documentation for updating a user with the Admin SDK, you'll see there is a property disabled that you can set to true.
From that moment in, that user won't be able to sign in or refresh their ID token. Their existing ID token is still valid though, and by default, that means it may take up to an hour for them to get signed out of your app. If that interval is a concern for your use case, have a look at the documentation on managing user sessions, specifically the section on detecting ID token revocation. While more work, this allows you more granular control of the expiration of the token.
Recently i build a app using Firebase, But after i got Some users through advertisement, Someone just hacked Firebase database and Updated all user datas like .
Username
Profile pic path
They set it to a bad word and bad pic.
So then i Also Checked the Firebase rules and redefined them..
Like
Only Authenticated users can read/write.
But problem is.
The hacker is still updated the Value on firebase db.
and i want to know what i am missing.
Is it possible to update a Firebase db without the whole secure key and things..
using a browser may be?
User data of a single user ...
email : "https://m.me.developer.scg"
lastseen : "1617987743"
pic : "https://www.dropbox.com/s/03a50cx4adxqepk/(url cannot be posted publically it contains nude images)"
privacy : "PU"
state : "offline"
status : "Lets watch some movies"
type : "FREE USER"
username : "FU*KED BY DreamPLAY"
Here the hacker updated the 3 fields.
email :
pic:
username:
You have to know that as soon as (1) someone has the apiKey of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the apiKey is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
Consequently, rules only based on auth != null allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
I will answer as parts :
Reason of Problem :
The Hacker found your API then created project and added your API to it then he
created authenticated user then he updated the fields , So this the reason of
problem
Solution :
First : is to create unique Fields (e.g Email to 1234567890Email as
Example but more secure)
Second : is to connect to Google Cloud Platform then setup Google Cloud Platform HTTP with your Domain (As Firebase will only accept data from your Domain ONLY)
Third : Is to create more secure rules as to denied access to Entire Database but just
give access to some collections or even documents So it will be more
secure
I just covered the most famous actions (You can see more but by google your problem)
& Wish I helped you :)
I just thought of a way to secure Firebase credentials so thought of a way to use a custom cloud functions authentication function (URL based function) to accept user credentials like username and password via URL encoded parameters. This method will only use database(firestore would be preferable). The function will only have to create custom tokens and send it to the user while keeping the user's temporary data like IP addresses etc. So request to write or read to the database will only be granted to this function.
You CAN prevent all those non authencated activities right from your firebase console.
GO to your firebase console, Open your project's android app.
Add SHA fingerprints of your app's SHA signing certificate fingerprints.
I am building apps using Firebase (Storage, Functions, Hosting, Real-Time Database and Firestore). In the apps, the user authenticates using a third-party library (like Google connect but not Google).
I don't know how to protect my database because I am not using Firebase Authentication. How can I use this third party authentication to protect data for example? Maybe I need to create a user manually and attach information to him so that this info will be available in the Security Rules editor?
Thanks
I don't think you can secure your database or storage without a form of authentication.
Now firebase provides multiple methods of authentication (email , google, custom , anonymous .....).
What you might want:
You might want to add custom login to your users in which they get registered with extra data that you provide. And they will still get a user id that you will use to check in the rules to allow read and writes along with some custom data you provided while registration (so you can check these data from the rules).
The way I set up my signin, I am using firebase auth custom tokens. After 5 tries the account is locked. However there still exists a security flaw.
Suppose a hacker comes along an implements his own javascript file. All he has to do is implement firebase signInWithEmailAndPassword function and try as many email/password combination as he likes and eventually he will be able to get both the username and password. Then from there, sign into my normal system and I would never be able to detect that I was hacked.
I believe I have to implement some sort of firebase security rules for this issue, but I do not know where to start and how to guard the firebase users. Is there a way to stop someone from implementing that function?
I looked at firebase security rules and it shows how to protect the firebase database. But that doesnt work for my purpose. I need it to protect the firebase authentication users.
The easiest and best solution is simply to disable all sign-in providers in the Firebase Console for your project. Custom auth is always enabled and can't be disabled.
You need to go to the "Authentication" section -> "SIGN-IN METHOD" -> "Sign-in provider".
https://firebase.corp.google.com/u/0/project/$PROJECT_ID/authentication/providers
If the user tries to create a password account, they will get an error operation-not-allowed.
I know there is a way to log in anonymously with Google Firebase, but I haven't gotten it working. The issue I am having is that my app needs to be accessible on any device without logging into any account with the app.
It needs to have full control of the app's database, both reading and writing. This app isn't really meant for public use, so I am OK with anonymous authentication. I also should not have to click a button in order for it to authenticate, it should do it automatically. I tried adding the code that Google provides, but it still wont authenticate. It does work with a Google account.
Thanks!
It was an issue related to the database rules. The default rules are set so that only authenticated users are able to read and write to the database. I set both so that anyone can read or write to the database from any device without logging in.