So the last thing I want is anyone accessing the database that isn't supposed to. Users on my app create an account which has a key and children in my database (an easy to acces user profile) and it also makes an auth account. The rules of the database state that only authenticated users can access the database. Is it possible for someone who is authenticated to somehow access the rest of the database (through hacking maybe)? This is my first app using firebase and I want to make sure that user information will be protected.
It depends by your rules.
If the rule is:
// These rules require authentication
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
This kind of rule allows full read and write access to authenticated users of your app. In other words an authenticated user can access all the data in the database without any hacking.
If you set something similar to this rule:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
it grants write access to the owner of this user account but only of this data.
It means that you have to set the rules to obtain the wanted result for each nodes in your data.
Related
{
"rules": {
"gallery": {
"$artwork": {
".read": "true",
".write": "auth.uid === \"UID\""
}
},
"gallerymap": {
".read": "true",
".write": "auth.uid === \"UID\""
}
}
}
I am creating a gallery that stores the artworks information in a real-time database, so I can add artwork through a page and store it. How do you send a write request along with the UID?
I can't find any documentation for sending a write request along with the UID.
To set the auth variable (including auth.uid) you have to sign the user in to Firebase Authentication. Once a user is signed in to Firebase Authentication, their token is automatically passed with any calls to the Realtime Database SDK, and the auth. variable in your rules is automatically populated from that.
If you're not using Firebase Authentication yet, the simplest way to add it is by implementing anonymous authentication which doesn't require the user to enter any credentials. I usually use anonymous authentication as a first step, print the UID that I get back in my code, and then copy/paste that into my security rules.
In my learning process, I created a simple (Android) game where the user's results are stored in the Firebase database. For developing purposes, I set Firebase rules to read/write without restrictions. Now I want to use rule, where only my application can read/write in the database.
How can I do it? After some browsing, I found samples where users have their own username/passwords. I don't have that kind of application. I just want that only my app has access to the database.
Here's an example of a rule that gives each authenticated user a personal node at /users/$user_id where $user_id is the ID of the user obtained through Authentication. This is a common scenario for any apps that have data private to a user.
// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
More info can refer to here : https://firebase.google.com/docs/database/security/quickstart#user
I have several ESP8266 accessing the same Firebase Realtime Database. Though I know 'secret' is deprecated, it is the only way for them to be authenticated. Cf. https://github.com/FirebaseExtended/firebase-arduino
I am facing this question: I would like to grant access to each of them only to its authorized node (and deeper ones of course). Indeed, I would like to reproduce these classical rules:
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid"
}
}
}
}
Is there something equivalent while using 'secret' ?
There is no equivalent. When you use the database secret, all your access to the database is completely unrestricted, and is not affected by security rules. It's effectively "root" access to your database - there is no auth and no uid. User based security is only available to client code that's actually using Firebase Authentication to verify the identity of the user.
If i write write: "auth != null" who can write ?
Only the person which has my google account and password or all persons who have a google account?
I want to be the only one who can write to the database page but I can't change the rule to false.
If I write: ".write": "auth != null" who can write to my database?
As Frank said, only people who have authenticated using Firebase can write with this rule. If you have no way for users to sign up for your app, then you'd be the only one who can write. If you have users create an account, they're "authenticated" as well and can write. If you want to limit writing just to your user account, get your user id and use this rule where MY_USER_ID is your uid, or look into custom claims.
".write": "'MY_USER_ID' === auth.uid"
This assumes you want to write from some interface other than directly in Firebase. If you want to prevent all writing and manually upload/edit copy directly into Firebase, you can set:
".write": false
...which would prevent all writes from users anywhere, but which would still allow you to edit your data in the console.
If you have this rule:
".write": "auth != null"
Any user who is authenticated can write to your database. That means anyone who signs in with a method that you've enabled in your Firebase Authentication console .
I'm new to Firebase database so I have a questions concerning the database.
My database rules so far is public like this:
"rules": {
".read": "auth == null",
".write": "auth != null"
}
I want the access to my database info (read and write) to be only for my application. I want to make my firebase to only allow read and write instructions if the appID or BundleIdentifier or something that identifies that it is my app who's trying to operate.
Is it possible? I don't want to use Firebase user authentication.
With the configurations I have so far is it possible for anyone in the world to access my database?
It's not possible to use the app's ID with Realtime Database security rules. The list of properties you can use in rules is documented here.
Also, if you want to allow full read access to your database, consider also saying this:
"rules": {
".read": true
}
What you have now ".read": "auth == null", only allows read access if you are not authenticated. Authenticated users would not be able to read, which doesn't sound helpful.