In my learning process, I created a simple (Android) game where the user's results are stored in the Firebase database. For developing purposes, I set Firebase rules to read/write without restrictions. Now I want to use rule, where only my application can read/write in the database.
How can I do it? After some browsing, I found samples where users have their own username/passwords. I don't have that kind of application. I just want that only my app has access to the database.
Here's an example of a rule that gives each authenticated user a personal node at /users/$user_id where $user_id is the ID of the user obtained through Authentication. This is a common scenario for any apps that have data private to a user.
// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
More info can refer to here : https://firebase.google.com/docs/database/security/quickstart#user
Related
{
"rules": {
"gallery": {
"$artwork": {
".read": "true",
".write": "auth.uid === \"UID\""
}
},
"gallerymap": {
".read": "true",
".write": "auth.uid === \"UID\""
}
}
}
I am creating a gallery that stores the artworks information in a real-time database, so I can add artwork through a page and store it. How do you send a write request along with the UID?
I can't find any documentation for sending a write request along with the UID.
To set the auth variable (including auth.uid) you have to sign the user in to Firebase Authentication. Once a user is signed in to Firebase Authentication, their token is automatically passed with any calls to the Realtime Database SDK, and the auth. variable in your rules is automatically populated from that.
If you're not using Firebase Authentication yet, the simplest way to add it is by implementing anonymous authentication which doesn't require the user to enter any credentials. I usually use anonymous authentication as a first step, print the UID that I get back in my code, and then copy/paste that into my security rules.
I have several ESP8266 accessing the same Firebase Realtime Database. Though I know 'secret' is deprecated, it is the only way for them to be authenticated. Cf. https://github.com/FirebaseExtended/firebase-arduino
I am facing this question: I would like to grant access to each of them only to its authorized node (and deeper ones of course). Indeed, I would like to reproduce these classical rules:
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid"
}
}
}
}
Is there something equivalent while using 'secret' ?
There is no equivalent. When you use the database secret, all your access to the database is completely unrestricted, and is not affected by security rules. It's effectively "root" access to your database - there is no auth and no uid. User based security is only available to client code that's actually using Firebase Authentication to verify the identity of the user.
I can't seem to find anywhere on how to access my realtime-db with service account from front-end. I need to make a small standalone web app that can interact with my realtime-db and change some resources that are restricted to authenticated users (and locked to his uid)
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid",
".read": "$uid === auth.uid",
}
}
}
}
I know I can do it in node.js with firebase-admin library, but I need a way to do this on client side only.
There is no built-in way to authenticate with an IAM account from the Firebase client SDKs. If this is a requirement for your app, you could build it as a custom authentication provider.
In that scenario you implement the client-side to determine the IAM user, send that information to your own server (or Cloud Functions that you write) to generate a custom token. The client then uses the custom token to sign in.
I'm new to Firebase database so I have a questions concerning the database.
My database rules so far is public like this:
"rules": {
".read": "auth == null",
".write": "auth != null"
}
I want the access to my database info (read and write) to be only for my application. I want to make my firebase to only allow read and write instructions if the appID or BundleIdentifier or something that identifies that it is my app who's trying to operate.
Is it possible? I don't want to use Firebase user authentication.
With the configurations I have so far is it possible for anyone in the world to access my database?
It's not possible to use the app's ID with Realtime Database security rules. The list of properties you can use in rules is documented here.
Also, if you want to allow full read access to your database, consider also saying this:
"rules": {
".read": true
}
What you have now ".read": "auth == null", only allows read access if you are not authenticated. Authenticated users would not be able to read, which doesn't sound helpful.
So the last thing I want is anyone accessing the database that isn't supposed to. Users on my app create an account which has a key and children in my database (an easy to acces user profile) and it also makes an auth account. The rules of the database state that only authenticated users can access the database. Is it possible for someone who is authenticated to somehow access the rest of the database (through hacking maybe)? This is my first app using firebase and I want to make sure that user information will be protected.
It depends by your rules.
If the rule is:
// These rules require authentication
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
This kind of rule allows full read and write access to authenticated users of your app. In other words an authenticated user can access all the data in the database without any hacking.
If you set something similar to this rule:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
it grants write access to the owner of this user account but only of this data.
It means that you have to set the rules to obtain the wanted result for each nodes in your data.