I am new to firebase and I am building a small SPA.
I could set the security rules like the following. (Only authenticated user can read or write his own projects.)
{
"rules": {
"users":{
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
This works fine but when I sign in to my app, inspect the source code and try adding hidden extra objects in project form, firebase still accept it.
In this screenshot, the objects such as blablab, blablabla are added from Chrome's inspect tool.
As the data structure has to be like
users-->userId-->projects-->unquieKey-->project_title
But after I added it, the db structure is messed up.
I want to know that how can I prevent someone sending extra data or spam objects?
When you use this:
{
"rules": {
"users":{
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
It means only authenticated users can read and write to the database. So every user who was authenticated will be able to send data to the database. To prevent spam, you need to think of a way(maybe a function that prevents user to write specific words to the database)
You can also use validation, that can help a bit:
{
"rules": {
".validate": "newData.isString() && newData.val().length < 100"
}
}
more details here: https://firebase.google.com/docs/database/security/
You can use this:
{
"rules": {
".read": true,
".write": false
}
}
to prevent anyone from sending data
Related
Looking to make my server more secure at this moment my Firebase Security Rules are
{
"rules": {
".read": "auth.uid != null",
".write": "auth.uid != null"
}
}
The above rule would allow anyone that has a user credential to change data. This would make the data insecure therefore what I am looking to do is change the security rule so that only the owners of the data are allowed to change their information. please note that my data structure on the real database has two nodes
Please see the attached image below
We just want to secure posts the code I am trying to run and it's not working
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
The error I am getting is simulated read denied
I'm not sure whether the title of this is appropriate as I'm new to Firebase Authentication and rules, however, I have successfully setup authentication and am now trying to protect a particular route and can't seem to access the relevant data, here's my Firebase rules on my realtime database:
{
"rules": {
"accounts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
},
"demo": {
".read": "accounts.$uid === auth.uid",
".write": true
}
}
}
As you can see, I'm trying to access the accounts/$uid/ from within "demo", it doesn't seem to work, what am I missing/what do I need to change?
Many thanks
UPDATE
The code in question not working is:
".read": "accounts.$uid === auth.uid"
I can't seem to access this part. It doesn't seem to get the current user's authentication status.
UPDATE
See attached screenshot for my attempt on using a predefined variable. I'm simply trying to get the auth status and I'm getting an error saying it's undefined?
The UID of the current user who is trying to access the data is available in auth.uid. If you're trying to ensure that a read of quotes is only allowed if the user has a document in the accounts node, you're looking for exists().
"website-quotes": {
".read": "root.child('accounts').child(auth.uid).exists()"
}
I wanted to make a rule that only I could write to my database when I was logged in.
My understanding is that ".write": "$uid === auth.uid" only limits writing to authorized users not just specifically to me.
I wasn't 100% sure how to accomplish this so what I ended up doing was setting up a GitHub login (for the 2FA).
I took the UID from that and added it to an admins section of my structure and had the rules check against that.
I'm not sure if that actually works they way I have it setup here so I thought I'd ask the community.
{
"rules": {
".write": "root.child('admins').child('uid').val() == auth.uid",
"admins": {
".read": "false"
},
"users": {
".indexOn": ["id"],
".read": "root.child('admins').child('uid').val() == auth.uid"
},
"posts": {
".indexOn": ["location"],
".read": "true"
}
}
}
Custom Claims.
The Firebase Admin SDK supports defining custom attributes on user
accounts. This provides the ability to implement various access
control strategies, including role-based access control, in Firebase
apps. These custom attributes can give users different levels of
access (roles), which are enforced in an application's security rules.
{
"rules": {
"adminContent": {
".read": "auth.token.admin === true",
".write": "auth.token.admin === true",
}
}
}
I have a database like this:
The first key is the userId, has to be connected, and the next keys only him can read and write. How I can manage the rules to be safe and no one can't see the key of each other ? I begin with that but I don't think is enough
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
Because you are using the user ID as a key you can use it in your rules to make sure users can only read/write to their own nodes like this:
{
"rules": {
"$user_id": {
".write": "$user_id === auth.uid",
".read": "$user_id === auth.uid"
}
}
}
For more information you can take a look at the firebase docs about User Based Security and Securing Data. For a more extencive answer about linking users to their data you can take a look at my answer here.
I'm new to app development I want to make the user read and write his own data from fire base real time database and every user has his own data .
And this are the rules:
{
"rules": {
".read":true,
".write":true
}
}
And here is a pic show what every single user have:
Thanks in advance
You need to separate your data into sections based on the user's UID.
So your data would need to be more like:
userId
DONE_LIST
...
TO_DO_LIST
...
LESSONS
...
And then your rules can be:
{
"rules": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
For more details on Firebase rules, please see https://firebase.google.com/docs/database/security/#section-authorization.