How to restrict write access to /lastmodified table in database named /functions-project-12345 only to cloud function, read & write access to table /chat to everyone
/functions-project-12345
/lastmodified: 1234567890
/chat
/key-123456
username: "Mat"
text: "Hey Bob!"
/key-123457
username: "Bob"
text: "Hey Mat"
Cloud Functions run with administrative privileges, which means they bypass the security rules of your database. Knowing that, it is quite simple to secure the database to your requirements:
{
"rules": {
".write": false,
"chat": {
".write": true
}
}
}
Have you seen chapter Authenticate with limited privileges here: https://firebase.google.com/docs/database/admin/start ?
It might be what you need.
Basically you need to use Admin SDK and initialize it with a specific uid and service key. Otherwise (namely, if you access database via reference from event which triggered the function), your function will have the same uid (and same access rights) as the client who created the event.
Related
I'm beginner and I'm developing a chrome extension that shows data received from my firebase realtime database. It does not need Login, or any personal information.
I'm trying to use REST API. Until now I have been in a test mode so I opened access to data for all. But Google keeps mailing me that I have to change the access rule because it is dangerous.
My present access rule is this:
{
"rules": {
".read": true,
".write": false
}
}
Now, I fetch data from https://<project name>.firebaseio.com/<database name>.json. But if I change the rule, the access will be denied.
So I want to add some key to the url and change access rule according to it so that I can fetch data from the url. For example,
https://<project name>.firebaseio.com/<database name>.json?some_key=<some_key>.
I do not need personal keys so I want only one key just like when we get information from open APIs. For example, when I use weather api, I get my api key from the host and adds the key to url.
Is this possible? If it is, I wonder two things.
the key that I can use (for example, realtime base wep API key)
access rule of realtime database
You can't pass parameters to the Firebase database like this:
https://<project name>.firebaseio.com/<database name>.json?some_key=<some_key>
But if you change the order of the values, it suddenly becomes possible:
https://<project name>.firebaseio.com/<some_key>/<database name>.json
We then change the security rules to only allow access when somebody already knows the secret key:
{
"rules": {
".write": false,
"$some_key": {
".read": true
}
}
}
Now the secret key is part of the path of the data, and only a user that already knows the key can read the data for that key.
I have the following Firebase realtime database rules:
{
"rules": {
".read" : "auth != null",
".write": false,
"Games": {
".indexOn" : "WeekId"
},
"Version": {
".read" : true
}
...
}
I keep getting the following email from Google:
[Firebase] Your Realtime Database 'xxx-9e542' has insecure rules`
We've detected the following issue(s) with your security rules:
any logged-in user can read your entire database
Without strong security rules, anyone who has the address of your database can read / write to it, leaving your data vulnerable to attackers stealing, modifying, or deleting data as well as creating costly operations.
So based on my rules above, I KNOW, that I have rules in place to allow logged in users to read the Games node and that ALL users can read the Version node even non authenticated users.
As far as I know, it needs to be this way because I require ALL logged in users to be able to access the Games node information, else how would they be able to view the list of games they can select from!?
As for the Version node, I use that in the instance I need everyone that downloaded my app to "Force Upgrade" my app cause of a change that is required. In this instance, I would need the user that have downloaded an older version of my app and that are either "logged in" or "not logged in" and force them to update the app or else they can not use it.
Can anyone let me know if I am off base with how I structured my security rules or is this "normal" and that I am receiving the email just as a FYI!?
How have others setup their rules!? or what are the "best practices" for setting up security rules!? esp. if you need logged in users to access the information of any particular node(s) 24/7!?
The main problem with your current rules is that anyone can sign in through the API and read your entire database, even if they know nothing about your application. They can just read the root of the database, and then start looking at your data.
The first step to improve security would be to not allow read on the top-level, but only at lower levels:
{
"rules": {
".write": false,
"Games": {
".read" : "auth != null",
".indexOn" : "WeekId"
},
"Version": {
".read" : true
}
...
}
Now nobody can read from the root, and you must know that Games or Version node exists in order to read it.
I am using Relatime database from firebase to read few flags and do some actions in android app. I used to get mail of insecure database read and write rules so I changed to following:
{
"rules": {
".read": "true",
".write": "false"
}
}
And now, I only get mail about insecure read.
[Firebase] Your Realtime Database 'abc-xyz' has insecure rules
We've detected the following issue(s) with your security rules:
any user can read your entire database
But if I change read to false then I am unable to read any value changes in real time. Can someone please help me understand how do I secure both read and write but also able to keep reading values from app?
PS: I don't use Firebase auth in my app as of now.
Firebase Auth is a cool thing, if you don't want your user to log into the authorization provider account, you can use an anonymous account which gives you a unique user ID of your app, etc.
Then you can write rules like:
"rules": {
".read": "auth != null",
".write": "auth != null"
}
If you don't store user data, you probably don't need any authorization. You can still restrict reading and writing of users by adding some area when read / write is available.
E.g:
"rules": {
"PublicData":{
"SomePublicChild":{
"ChildProperty1": { ".validate":true },
"ChildProperty2": { ".validate":true },
"$other": {".validate":false },
},
".write":true,
".read":true,
".validate":"newData.hasChild(SomePublicChild)"
},
"PrivateData":{
".write":false,
".read":false,
}}
These rules will allow anyone to write / read to the PublicData node and to anyone else to write / read the PrivateData node. The rules will also protect the structure of your public data, they only allow writing to the PublicData object with the ChildProperty1 or ChildProperty2 properties, and will block writes with any other property key.
It's not big thing but you won't recive more mail about insecure rules.
Data in Firebase has the following structure:
emailsLending
|___-LqQFYK-iI8a8qe2msVk
|___email
|___serverTimestamp
I wrote the following rules checking the entry in the email field:
{
"rules": {
"emailsLending": {
"$emailsLending_id": {
".indexOn": "email",
"email": {
".validate": "newData.isString() && newData.val().matches(/^[A-Z0-9._%+-]+#[A-Z0-9.-]+\\.[A-Z]{2,4}$/i)"
}
}
}
}
}
But when I write data to the email field using the Cloud Function, the rule does not apply and I can write anything, for example, "123".
What am I doing wrong?
Cloud Functions run with administrative privileges, and by default bypass the security rules of your database.
The logic here is that rules are to protect against malicious behavior from untrusted users, while Cloud Functions are authored by the most trusted users: collaborators on your app. To catch mistakes made by these types of users, you'd typically use unit tests instead of security rules.
If you have a case where this logic doesn't apply and you're using the Realtime Database, you can set databaseAuthVariableOverride to the UID of the user to run the code as. For an example of this, see the Firebase documentation on accessing user authentication information.
A manager needs to make the team's schedule live/public. The main challenge I'm running into is my firebase db security rules require users to be logged it in order to read data from it. They sort of look like this:
{
"rules": {
.read:true,
.write:true
}
"profiles":{
".read": true,
".write": true
},
"$clinicId":{
".write":"root.child($clinicId).child('permissions').child('admins').child(auth.uid).val() == true",
".read": "root.child($clinicId).child('permissions').child('members').child(auth.uid).val() == true"
}
}
}
What comes to my head is the following:
1- When the manger publishes the schedule, I would generate a token, add it to my permissions rules, and embed the token in the shared url as a param.
2- Then when an employee tries to access the url, I would use the token to sign in the user into the app.
I have explored claims and tokens in Firebase and I'm not quite sure which one would be the best neither this is a correct approach.
I would appreciate any insights.
Thank you in advance!
So it sounds like you want to make the data public, but harder to access.
Why don't you just include the id of the public doc in the url ? It is already a big-hard-to-guess hash. Which is all you'd be doing.
Additional security might include:
keep public docs separate from private ones, different collections
or use a flag on the doc that you can check the "visibility" of before returning to the client