Data in Firebase has the following structure:
emailsLending
|___-LqQFYK-iI8a8qe2msVk
|___email
|___serverTimestamp
I wrote the following rules checking the entry in the email field:
{
"rules": {
"emailsLending": {
"$emailsLending_id": {
".indexOn": "email",
"email": {
".validate": "newData.isString() && newData.val().matches(/^[A-Z0-9._%+-]+#[A-Z0-9.-]+\\.[A-Z]{2,4}$/i)"
}
}
}
}
}
But when I write data to the email field using the Cloud Function, the rule does not apply and I can write anything, for example, "123".
What am I doing wrong?
Cloud Functions run with administrative privileges, and by default bypass the security rules of your database.
The logic here is that rules are to protect against malicious behavior from untrusted users, while Cloud Functions are authored by the most trusted users: collaborators on your app. To catch mistakes made by these types of users, you'd typically use unit tests instead of security rules.
If you have a case where this logic doesn't apply and you're using the Realtime Database, you can set databaseAuthVariableOverride to the UID of the user to run the code as. For an example of this, see the Firebase documentation on accessing user authentication information.
Related
I am using Relatime database from firebase to read few flags and do some actions in android app. I used to get mail of insecure database read and write rules so I changed to following:
{
"rules": {
".read": "true",
".write": "false"
}
}
And now, I only get mail about insecure read.
[Firebase] Your Realtime Database 'abc-xyz' has insecure rules
We've detected the following issue(s) with your security rules:
any user can read your entire database
But if I change read to false then I am unable to read any value changes in real time. Can someone please help me understand how do I secure both read and write but also able to keep reading values from app?
PS: I don't use Firebase auth in my app as of now.
Firebase Auth is a cool thing, if you don't want your user to log into the authorization provider account, you can use an anonymous account which gives you a unique user ID of your app, etc.
Then you can write rules like:
"rules": {
".read": "auth != null",
".write": "auth != null"
}
If you don't store user data, you probably don't need any authorization. You can still restrict reading and writing of users by adding some area when read / write is available.
E.g:
"rules": {
"PublicData":{
"SomePublicChild":{
"ChildProperty1": { ".validate":true },
"ChildProperty2": { ".validate":true },
"$other": {".validate":false },
},
".write":true,
".read":true,
".validate":"newData.hasChild(SomePublicChild)"
},
"PrivateData":{
".write":false,
".read":false,
}}
These rules will allow anyone to write / read to the PublicData node and to anyone else to write / read the PrivateData node. The rules will also protect the structure of your public data, they only allow writing to the PublicData object with the ChildProperty1 or ChildProperty2 properties, and will block writes with any other property key.
It's not big thing but you won't recive more mail about insecure rules.
I want to read data from Firebase:
firebase.database().ref('videos/' + $videoId + '/data' ).once('value')
But in security rules I don't want to make this readable by anyone. Aka I do not want to use:
".read" : true
I want non-authenticated users to be able to read data if they have a special token, that they pass in the url.
firebase.database().ref('videos/' + $videoId + '/data?token=secretToken').once('value')
My video data looks like this:
{
vidoes: {
$videoId: {
data: {
...
}
tokens: {
secretToken: true
}
}
}
I imagine security rules would look something like this:
{
vidoes: {
$videoId: {
data: {
".read": "data.parent().child('tokens/' + auth.urlQuery('token').val() ).exist()"
}
}
}
Is there anyone I can access query string/ url parameters in Firbase security rules? I could use Firebase functions to create an api, but that is an extra step and network request.
Essentially it would behave like a "token" for Firebase storage:
https://firebasestorage.googleapis.com/v0/b/columbus-c4de8.appspot.com/o/richContent%2F1-min.jpeg_-LPgLxBMt1tBR0dDdNzH?alt=media&token=dfe24c92-e0c2-484a-81df-c09a710b3d34
If the token is correct, then user can read the data.
Note: It's technically possible to use tokens for ".write" security rules. See: Using newData on Updates in Firebase Security Rules
This is not possible, and is also not inherently secure. Firebase security rules would not be secure if anyone had a simple password that let them access data. It's pretty easy to reverse engineer a mobile client to extra the password that allows the query.
If you want to grant access to a query to a user, the only secure way to do that is in tandem with Firebase Authentication, which validates the identity of the person performing the request.
firebase.database().ref('meetups').push(meetup)
.then((data)=> {
console.log(data)
commit('createMeetup', meetup)
})
.catch((error) => {
console.log(error)
})
I was doing a project made by academind called "project with vuejs vuetify and firebase"
my firebase database rules are:
Access The Firebase Realtime Database is controlled by server-side security rules The error message you're getting matches the security rules that you shared. Those rules say that no ordinary user can read or write any data from or to the database.
The simplest change that you can make to allow the operation you shared is to allow anyone to write a node under /meetups. The rules for that would be:
{
"rules": {
read: false,
"meetups": {
"$meetupId": {
".write": true
}
}
}
}
With these rules, anyone can write a new node under /meetups. But nobody can read any data, nor can anyone write anywhere else (including writing to /meetups itself).
The exact rules you need depend purely on the app that you're building. I recommend:
Reading the documentation for Firebase Database security rules.
Watching this video about security rules in Firebase
Reading my answer here: Firebase email saying my realtime database has insecure rules
How to restrict write access to /lastmodified table in database named /functions-project-12345 only to cloud function, read & write access to table /chat to everyone
/functions-project-12345
/lastmodified: 1234567890
/chat
/key-123456
username: "Mat"
text: "Hey Bob!"
/key-123457
username: "Bob"
text: "Hey Mat"
Cloud Functions run with administrative privileges, which means they bypass the security rules of your database. Knowing that, it is quite simple to secure the database to your requirements:
{
"rules": {
".write": false,
"chat": {
".write": true
}
}
}
Have you seen chapter Authenticate with limited privileges here: https://firebase.google.com/docs/database/admin/start ?
It might be what you need.
Basically you need to use Admin SDK and initialize it with a specific uid and service key. Otherwise (namely, if you access database via reference from event which triggered the function), your function will have the same uid (and same access rights) as the client who created the event.
I have rules set up that ensure a foreign key like constraint: when I put data at a certain path, the key is validated to exist at another node.
Rule snippet:
"app": {
"freebies": {
"$provider_id": {
".validate": "newData.parent().parent().parent().child('app').child('providers').child($provider_id).val() != null"
}
}
}
If I run a simulation with these params
Write to /app/freebies
width data: {"totally_fake": 1}
This fails, which is CORRECT.
On the other hand, if I just go to the online editor and add a node to the same location with the same data, it writes the DB without errors.
My question is: does the online editor bypass the security rules ?
Yes, it does. The Firebase console, as well as the Admin SDKs, bypass security rules and have "administrative" access to the Realtime Database.