I can't seem to find anywhere on how to access my realtime-db with service account from front-end. I need to make a small standalone web app that can interact with my realtime-db and change some resources that are restricted to authenticated users (and locked to his uid)
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid",
".read": "$uid === auth.uid",
}
}
}
}
I know I can do it in node.js with firebase-admin library, but I need a way to do this on client side only.
There is no built-in way to authenticate with an IAM account from the Firebase client SDKs. If this is a requirement for your app, you could build it as a custom authentication provider.
In that scenario you implement the client-side to determine the IAM user, send that information to your own server (or Cloud Functions that you write) to generate a custom token. The client then uses the custom token to sign in.
Related
I have integrated the Firebase API in my web project. I have also enforced app check in my web project. The following are my database rules:
"rules": {
".read": "auth != null",
".write": "auth != null"
}
Every day I keep getting an email from Firebase saying that my database has insecure rules:
- any logged in user can read your entire database
- any logged in user can write to your entire database
I have already enforced app check. What more do I need to do to secure my database?
{
"rules": {
"gallery": {
"$artwork": {
".read": "true",
".write": "auth.uid === \"UID\""
}
},
"gallerymap": {
".read": "true",
".write": "auth.uid === \"UID\""
}
}
}
I am creating a gallery that stores the artworks information in a real-time database, so I can add artwork through a page and store it. How do you send a write request along with the UID?
I can't find any documentation for sending a write request along with the UID.
To set the auth variable (including auth.uid) you have to sign the user in to Firebase Authentication. Once a user is signed in to Firebase Authentication, their token is automatically passed with any calls to the Realtime Database SDK, and the auth. variable in your rules is automatically populated from that.
If you're not using Firebase Authentication yet, the simplest way to add it is by implementing anonymous authentication which doesn't require the user to enter any credentials. I usually use anonymous authentication as a first step, print the UID that I get back in my code, and then copy/paste that into my security rules.
I am new to Firebase. Recently I registered my web-app and my android app in my firebase project. I have a Realtime Database in my project where the following rules are set:
{
"rules": {
".read": "auth !== null",
".write": "auth !== null"
}
}
I just got an email today from firebase saying that my database is insecure as any authenticated user can modify it. So my question is what rules do I set in my database such that only some users registered in my firebase project (i.e., my web app and my android app) can access it?
The simplest way to allow only users of your app to access the data, is to implement Firebase App Check in the application and then enforce that for the Realtime Database.
This topic has been covered quite a few times before, so I recommend also checking out:
Locking down Firebase DB access to specific apps
Firebase rules that supports only requests from my apps
In my learning process, I created a simple (Android) game where the user's results are stored in the Firebase database. For developing purposes, I set Firebase rules to read/write without restrictions. Now I want to use rule, where only my application can read/write in the database.
How can I do it? After some browsing, I found samples where users have their own username/passwords. I don't have that kind of application. I just want that only my app has access to the database.
Here's an example of a rule that gives each authenticated user a personal node at /users/$user_id where $user_id is the ID of the user obtained through Authentication. This is a common scenario for any apps that have data private to a user.
// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
More info can refer to here : https://firebase.google.com/docs/database/security/quickstart#user
I have several ESP8266 accessing the same Firebase Realtime Database. Though I know 'secret' is deprecated, it is the only way for them to be authenticated. Cf. https://github.com/FirebaseExtended/firebase-arduino
I am facing this question: I would like to grant access to each of them only to its authorized node (and deeper ones of course). Indeed, I would like to reproduce these classical rules:
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid"
}
}
}
}
Is there something equivalent while using 'secret' ?
There is no equivalent. When you use the database secret, all your access to the database is completely unrestricted, and is not affected by security rules. It's effectively "root" access to your database - there is no auth and no uid. User based security is only available to client code that's actually using Firebase Authentication to verify the identity of the user.