I'm new to Firebase database so I have a questions concerning the database.
My database rules so far is public like this:
"rules": {
".read": "auth == null",
".write": "auth != null"
}
I want the access to my database info (read and write) to be only for my application. I want to make my firebase to only allow read and write instructions if the appID or BundleIdentifier or something that identifies that it is my app who's trying to operate.
Is it possible? I don't want to use Firebase user authentication.
With the configurations I have so far is it possible for anyone in the world to access my database?
It's not possible to use the app's ID with Realtime Database security rules. The list of properties you can use in rules is documented here.
Also, if you want to allow full read access to your database, consider also saying this:
"rules": {
".read": true
}
What you have now ".read": "auth == null", only allows read access if you are not authenticated. Authenticated users would not be able to read, which doesn't sound helpful.
Related
I have integrated the Firebase API in my web project. I have also enforced app check in my web project. The following are my database rules:
"rules": {
".read": "auth != null",
".write": "auth != null"
}
Every day I keep getting an email from Firebase saying that my database has insecure rules:
- any logged in user can read your entire database
- any logged in user can write to your entire database
I have already enforced app check. What more do I need to do to secure my database?
If i write write: "auth != null" who can write ?
Only the person which has my google account and password or all persons who have a google account?
I want to be the only one who can write to the database page but I can't change the rule to false.
If I write: ".write": "auth != null" who can write to my database?
As Frank said, only people who have authenticated using Firebase can write with this rule. If you have no way for users to sign up for your app, then you'd be the only one who can write. If you have users create an account, they're "authenticated" as well and can write. If you want to limit writing just to your user account, get your user id and use this rule where MY_USER_ID is your uid, or look into custom claims.
".write": "'MY_USER_ID' === auth.uid"
This assumes you want to write from some interface other than directly in Firebase. If you want to prevent all writing and manually upload/edit copy directly into Firebase, you can set:
".write": false
...which would prevent all writes from users anywhere, but which would still allow you to edit your data in the console.
If you have this rule:
".write": "auth != null"
Any user who is authenticated can write to your database. That means anyone who signs in with a method that you've enabled in your Firebase Authentication console .
Being relatively new to Firebase I'm getting my head round the permissions, vital if you don't want unauthorised manipulation in javascript. I have the very basic rules
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
This means I can set a user/email which has to login at client end to see or do any CRUD functions with the data. What I want to do is allow users to register and only edit or delete anything they have posted themselves, so read any questions and feedback and post their own, but can not tamper with anything they haven't posted themselves.
So the last thing I want is anyone accessing the database that isn't supposed to. Users on my app create an account which has a key and children in my database (an easy to acces user profile) and it also makes an auth account. The rules of the database state that only authenticated users can access the database. Is it possible for someone who is authenticated to somehow access the rest of the database (through hacking maybe)? This is my first app using firebase and I want to make sure that user information will be protected.
It depends by your rules.
If the rule is:
// These rules require authentication
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
This kind of rule allows full read and write access to authenticated users of your app. In other words an authenticated user can access all the data in the database without any hacking.
If you set something similar to this rule:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
it grants write access to the owner of this user account but only of this data.
It means that you have to set the rules to obtain the wanted result for each nodes in your data.
If I were to build a site without database interaction (no login on the site) with firebase. Do I need to change default security rules that looks like this:
{
"rules": {
".read": true,
".write": true
}
}
This red exclamation sign in the security & rules section says that I better write some security rules. So the question is, is it safe to leave this as is if you don't use login/signup ?
The thing is, FireBase has changed a lot. The new admin area has predefined security measures in place. So, you don't really have to worry about that anymore.
The default set of rules are
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
And in case you want to open them up for both read and write permissions, you can roll back to
{
"rules": {
".read": true,
".write": true
}
}
With the default rule:
"rules": {
".read": true,
".write": true
}
everybody can read and can write your data using the Android,IOS and WEB SDKs.
You should provide a kind of authentication with a Token or with Email/Password authentication.
"rules": {
".read": "auth !== null",
".write": "auth !== null",
}
Pay attention because your rules don't effect what you can or can't do in the Firebase dashboard. Anyone with access to the dashboard, including collaborators who you share your Firebase dashboard with, can circumvent the rules.
More info here.
The security rules in the "Security & Rules" tab of your Firebase dashboard only affect who can access the database.
It has no effect on:
who can access a web site you host on Firebase. Anyone with the URL can do that.
who can deploy a web site you host on Firebase. Only the owner and collaborators you invite to your Firebase back-end can do that.