I have a React app which I developed for my own usage in localhost development mode.
The app stores some data to a firebase realtime database which I created just for the project.
Has no authentication, since only I use it in development mode.
The rules on the firebase database are the default ones:
{
"rules": {
".read": true,
".write": true
}
}
Thus firebase alerts me to the usual: 'Your security rules are defined as public, so anyone can steal, modify...' - warning.
My understanding is that in this case, the only way someone could get access to my data is if they got hold of information about the firebase instance, such as apiKey, database URL, authDomain. Is this true? (Or is there some other straightforward way people can get access to the data in this case, obviously not talking about hacking my computer/google account, etc.
This data is important to me, so basically I am wondering if my current practice is secure.
PS: I do understand how to set up firebase database security for a 'normal' user app. However, in this particular instance, I believe it is not needed, is this correct?
Thanks very much.
Anyone who knows the URL to your project can now read, and write your data. They can delete your entire database with a single command. While this may be exactly what you want (which is why Firebase allows it), most applications need more controlled access to their data (which is why you get alerts from Firebase to that effect).
Your best option is to add Firebase Authentication to your app. With that you can ensure that you are indeed the only person using it. Right now your statement about that is an assumption based on your faith in nobody having access to your URL. By implementing authentication, you can actually ensure that you're the only person having access to the data.
This could be as simple as implementing anonymous authentication, which generates an ID for the user without requiring them to provide any credentials. If you then log that ID, you can restrict access to the database to that one user with rules like this:
{
"rules": {
".read": "auth.uid === 'your_uid''",
".write": "auth.uid === 'your_uid''"
}
}
Even that simple change already makes your database much more secure, as now only that one user can access the data.
I strongly recommend that you spend some time reading more about Firebase's security model and rules, and that you then secure your database. Not only will this get rid of the alert, but (more importantly) it ensures the data is only accessed in ways that you control.
Using API key, database URL, auth Domain and etc, your end application makes a connection with the server. In short, all your API keys, database URL, auth Domain and etc are openly available. But this is not a problem until and unless your security rules are in place to protect your data from getting explored. Read more about Security Rules.
There are a few simple steps to protect or secure your data: [These are tips from me]
Use Authentication: This is the easiest way of keeping track of the user and the data the user can access or modify.
Note: Never trust the data coming from the user. You must validation the each and every data coming from the user.
Use of Functions: Functions have a special property - They can bypass the security rules. Remember not to expose all the data to users/open world. You can send the data to the invoked functions and let all the functions handle all the logic. This method is costly from the financial and request/response view.
Related
I've developed an app which relies on Firestore for storing some user's data. This app doesn't have any login mechanism, as it uses the device UUID as identifier; we're not managing any sensitive data, btw.
I'm getting daily warnings from Firestore regarding the absence of security rules in my database, but as long as I don't have any login mechanism and my users need to both read and write from it, I can't see any way for implementing a useful security rule.
Is there any pattern I could follow in this situation? Is there any way to create a security rule for allowing to only read and write data created by the same user without any user authentication?
Thanks in advance
It sounds like you want to identify the user, but then without authentication. My guess is that you want to identify them, without requiring them to provide credentials.
If that is the case, you're looking for Firebase's anonymous authentication provider, which assigns a unique, unspoofable ID to each app instance. Signing in anonymously takes very little code, for example for Android it's:
FirebaseAuth.getInstance().signInAnonymously();
After this call completes, the user has an ID that you can then use in your security rules to identify the data from this user.
So if I have an E-commerce App that doesn't require Login/Auth, and my users buy in the store, then after verifying the transaction the backend writes the order in the database.
The thing is that my Realtime Database just relies on Stripe transaction key (i.e, someone has paid for an item) to be able to write on the DB, because my rules are set so anyone can write, otherwise I would need every user to log in, but that's not what I want.
Firebase recently notified me that my rules are weak.
How can a make sure my users are able to write to my database in a secure way for my app, without log in/Auth?
There are many different security models you can use with Firebase, and it's important to understand the level of security each provides.
One thing to look into is anonymous auth which lets you "authenticate" a user without actually requiring them to provide any credentials. This provides a way to guarantee that the same device is being used between multiple reads/writes.
In your specific case, it sounds like you might be looking to rely on unguessable tokens. This can be a valid security model for some use cases so long as the key is sufficiently complex as to be unguessable.
At its most basic, the way you'd structure security rules for unguessable URLs is something like:
{
"rules": {
"transactions": {
"$key": {
".read": true,
".write": true
}
}
}
}
This allows users to read/write specific nodes at e.g. transactions/abc123xyzunguessable but importantly does not allow reading/writing to the parent transactions node. Security comes from the fact that only the person who originally got the unguessable token will be able to provide it again in the future.
A better implementation would gate writing on the $key matching the expected unguessable format, adding validation and other read/write rules to ensure that the data is formatted appropriately, and probably also prevent modification of key fields.
These are just some pointers but should help you on your way. The important thing is to make sure that you never leave important information in a place where it can be read through easily guessable URLs.
There is no "secure" way to allow writes to Realtime Database without Firebase Authentication. Without Firebase Auth, either there is full public access, or there is no public access at all.
If you can't use Firebase Auth, what you will need to do instead is make your security rules disallow all direct access to the database from client applications, then create backend APIs to manage access to the database. Your backend APIs will need to somehow validate that the person making the request should have the ability to make the required changes. Then, it will have to use the Firebase Admin SDK to commit those changes to the database.
I'm starting with firebase and i've a very basic question
in firebase rules for database i've:
{
"rules": {
".read": true,
".write": true
}
}
According to google it means that anyone can read and write on database.
My question is who anyone?
Let me clarify:
I don't want to force the user of my app to login, nor to have an account on google in order to use it.
this project is not shared with other people, other apps or any other stuff
is it possible to somebody to access the data stored in firebase? if yes how?
again if yes, what should i do to protect the data without forcing users to have credentials?
true here mean there is literally no protection of your data. Anyone who has the tools, and the name of your Firebase project, is able to fully read and write all your data. It should be considered that your database has extreme privacy concerns, which is especially bad for the data you're storing about your users.
Anyone can use something as simple as the REST API to access your entire database (or delete your entire database) with one request.
Without Firebase Auth, you should restict all access through some other protected API that you control. It's outside the scope of this question to fully explore how to set up that other API.
Referring to:
{
"rules": {
".read": true,
".write": true
}
}
You can imagine that the boolean value for the read and write as a security gate where true is open access and false is dead end. By stating it "true" means that people could just access your database (somehow) without even using your app.
Your points are:
This app is only for private used.
This app will not and never be distribute to other non-relevant people.
But, how do you make sure other people won't attack/ access your database? People could still access your database through browser controls (JS, Angular etc.).
Do remember, reverse engineering is possible, they could obtain your database information as well as your firebase credential JSON file, which could make your data in risk.
No matter what, it is advisable you restrict the security rules. My recommendation is to implement a simple role based security rule to prevent abusive and unauthorised API call usage.
More of a theoretical question, but I am interested in the correct way that public data should be accessed from a Firebase realtime database. This is data that is viewable just by going to a webpage (no sign in needed). In the past I would create an anonymous account, but this seems inefficient (for each viewer of the site) and seems like I might as well set .read to true in the rules so that no accounts are needed to access the data.
However, it seems like Firebase generally advises against setting .read to true within the rules, so I was wondering what the correct convention here would be.
Generally speaking, setting .read to true is used for testing purposes, where you don't need authentication and where there are no sensitive data of your users. If the content of your app does not contain data that need to be private, then you can use this settings but if you decide in the future to add authentication and you want to store sensitive data about your users in your database, it's mandatory to secure your Firebase database using Firebase Realtime Database Rules.
Hope it helps.
I've just written a small single page javascript application (for internal company use) that will be hosted on S3 and uses Firebase as the datastore.
I'm aware that a devious hacker could probably find a way to delete all the data in Firebase if they were determined enough using the javascript console.
None of the data in this application should ever be deleted.
What Firebase rules can I use to ensure data cannot be deleted by any authorised user? It this even possible?
Thanks
Yup, that's fairly simple:
".write": "!data.exists() || newData.exists()"
So you can write if there's either no data at the location or if you're writing new data.