I want to use my own url to interact with my Firebase database REST API. I understand that you cannot alter the default "https://myapp.firebaseio.com/" from within the app. I am wondering if it is possible to do this externally through some form of url-rewriting?
If so, what are the elements required & are there any complications to overcome (particularly with https)?
Related
I am developing a Flutter web app using Firebase as backend. While trying to enable Facebook login, I found the following requirement:
Apps that access user data must provide a way for users to request that their data be deleted. Your app can satisfy this requirement in one of two ways:
Implement a Data Deletion Request Callback.
Provide a URL with explicit instructions for app users on how to delete their data by way of a third-party website or tool. The third-party website may be the relevant section in the application's Privacy Policy.
Implementing a data deletion request call back can be harder, because I don't have a regular backend, I am using Firebase.
I think the second option it is better, however it is not completely clear to me what they mean by “delete their data by way of a third-party website or tool”. Is it possible to have an URL in the app with a “delete account button” and give the corresponding instructions in the URL?
How should I fulfill these requirements?
Is there an efficient way to fulfill them?
I am making a web app using firebase. I was looking into restricting access to certain pages unless there's a subscription. When I looked through the docs all I found was that I could do transactions with stripe and it only applied on signing in and up not restricting pages.
After searching on the internet, I didn't find a viable solution, but three ideas came up to me I could use (which are either with low working possibility or very lackluster to say the least. (all include using stripe.))
One: I would use a middleware to verify the token I get from stripe and then redirect from there. (but all that comes to my mind how I would identify the redirected page in the middleware. And even if that was probable how much time would that take to make it work(if that even is possible), I have no idea.)
Two: in hosting configurations I could call a function when a rewrite is performed. I thought I could call a make a function that verifies the token from the strip when a restricted page is called. (But then again not only is the function accessible after hosting and can be viewed, I don't know if I can call firebase configurations and functions inside the firebase.json.)
third: this is the most viable but has very bad downsides, is authenticating the strip token from in a regular javascript, and if it fails it would restrict the access to the page. Do the same in the rules so that the database section related to that page. (the downside is that the HTML, CSS, and javascript would all be accessible. Only the database functions relating to them are restricted.
So with all that being said, I couldn't find any viable option I could use. So I was wondering if anyone in here have met the same problem and got a solution or do you have any advice I could use.
Note: I am using firebase's realtime database by the way.
If you are trying to restrict access to your webpages/app, you should come up with a logic in your backend or frontend (depending on your app structure) where you could store values needed in Firestore or another solution.
In case you would like to restrict access to Firestore, you can achieve that with Rules.
I really need to be able to access images in my firebase storage dynamically by creating a URL. Something that would look like this:
https://firebasestorage.googleapis.com/v0/b/<bucket>.appspot.com/o/userImages%2F<userUID>2%2F<imageUID>?alt=media
I know it it would be possible since I managed to load the image in my browser. However, my concern is security.
I would need to set the rule allow read: if true; for this to work
If someone with bad intentions wanted to see users' images, would they be able to see all the images in my bucket or would they need to guess the userUID and the imageUID?
What you're asking isn't possible without custom code. Direct download URLs are not affected by Firebase security rules at all.
If you want to limit access to direct download URLs of any kind, you will need some sort of custom backend service that checks the end user's permission before delivering the content. This means you will have to create your own endpoint that serves the content of the file in Storage.
The rules don't work on the URLs. BUT the download URL has a token in it which can be generated by you or is generated by the bucket by default a UUID which is always unique.
https://firebasestorage.googleapis.com/v0/b/[bucket].appspot.com/o/userImages%2F[userUID]2%2F[imageUID]?alt=media&token=[accessToken]
I have a WordPress website with custom tables that I store data into that was entered by customers. The site owner wants to develop a barcode app that can access this data. When I need the data from these fields to display within the site, I request it from a PHP script running on the server that make calls like get_post_meta().
The owner has hired a mobile app consultant who believes that, if he just has the password to the account where the site is hosted, he can access all of these database fields from the app.
I'm not seeing how this is possible. My understanding is that a mobile app can only access a site by making HTTP requests to it. It has no way of running on the server and executing things like get_post_meta().
Am I missing something?
Thanks
I think you are missing something. Wordpress now has a rest api https://developer.wordpress.org/rest-api/ that can allow a mobile application get at data in your database by making http requests.
The developer will need to be able to enable the Rest Api, but if you give her the password, she will probably be able to do so. Typically this is done using a plugin like: WP Rest API which enables a set of default endpoints which includes post meta data and allows you to add other endpoints
Depending on how the custom tables are set up, they might not be automatically available to the Rest API. However, if you are able to access them using get_post_meta() then I would expect that they would be accessible to the Rest API as well, most likely by adding endpoints.
I want to setup a public form to write to Firebase via the Angular Firebase plugin AngularFire but it feels like there needs to be some security added so that data is only posted from that form, I can't see any interface to Whitelist a Domain/URL. Is there a way to only accept writes from a specific Form/URL without getting the User to login first?
Nope.
But it wouldn't help in your scenario anyway: when you're using Angular, all code is running in the user's browser. It might be served from your domain into that browser first, but just as easily the user might have saved the HTML locally and started running it that way.
It sounds like you're trying to secure things so that only your code can modify them, probably because you think that your code is the only thing that can be trusted to follow some of your application-specific business rules. Instead of trying to limit access to just your code, I'd instead recommend capturing the business rules server-side. Firebase has a very powerful security and data validation model just for that purpose. See https://www.firebase.com/docs/security/guide/
Once you enforce these business rules on the server, it doesn't matter how someone access your data. They could be using your code - or somebody could have taken your code (or an API that you've documented) and written a third-party application. Either way: the (security and validation) rules will be enforced by Firebase, so your data will stay valid and secure.