I've just written a small single page javascript application (for internal company use) that will be hosted on S3 and uses Firebase as the datastore.
I'm aware that a devious hacker could probably find a way to delete all the data in Firebase if they were determined enough using the javascript console.
None of the data in this application should ever be deleted.
What Firebase rules can I use to ensure data cannot be deleted by any authorised user? It this even possible?
Thanks
Yup, that's fairly simple:
".write": "!data.exists() || newData.exists()"
So you can write if there's either no data at the location or if you're writing new data.
Related
I have a React app which I developed for my own usage in localhost development mode.
The app stores some data to a firebase realtime database which I created just for the project.
Has no authentication, since only I use it in development mode.
The rules on the firebase database are the default ones:
{
"rules": {
".read": true,
".write": true
}
}
Thus firebase alerts me to the usual: 'Your security rules are defined as public, so anyone can steal, modify...' - warning.
My understanding is that in this case, the only way someone could get access to my data is if they got hold of information about the firebase instance, such as apiKey, database URL, authDomain. Is this true? (Or is there some other straightforward way people can get access to the data in this case, obviously not talking about hacking my computer/google account, etc.
This data is important to me, so basically I am wondering if my current practice is secure.
PS: I do understand how to set up firebase database security for a 'normal' user app. However, in this particular instance, I believe it is not needed, is this correct?
Thanks very much.
Anyone who knows the URL to your project can now read, and write your data. They can delete your entire database with a single command. While this may be exactly what you want (which is why Firebase allows it), most applications need more controlled access to their data (which is why you get alerts from Firebase to that effect).
Your best option is to add Firebase Authentication to your app. With that you can ensure that you are indeed the only person using it. Right now your statement about that is an assumption based on your faith in nobody having access to your URL. By implementing authentication, you can actually ensure that you're the only person having access to the data.
This could be as simple as implementing anonymous authentication, which generates an ID for the user without requiring them to provide any credentials. If you then log that ID, you can restrict access to the database to that one user with rules like this:
{
"rules": {
".read": "auth.uid === 'your_uid''",
".write": "auth.uid === 'your_uid''"
}
}
Even that simple change already makes your database much more secure, as now only that one user can access the data.
I strongly recommend that you spend some time reading more about Firebase's security model and rules, and that you then secure your database. Not only will this get rid of the alert, but (more importantly) it ensures the data is only accessed in ways that you control.
Using API key, database URL, auth Domain and etc, your end application makes a connection with the server. In short, all your API keys, database URL, auth Domain and etc are openly available. But this is not a problem until and unless your security rules are in place to protect your data from getting explored. Read more about Security Rules.
There are a few simple steps to protect or secure your data: [These are tips from me]
Use Authentication: This is the easiest way of keeping track of the user and the data the user can access or modify.
Note: Never trust the data coming from the user. You must validation the each and every data coming from the user.
Use of Functions: Functions have a special property - They can bypass the security rules. Remember not to expose all the data to users/open world. You can send the data to the invoked functions and let all the functions handle all the logic. This method is costly from the financial and request/response view.
I am creating a react native application using Firestore and I am not sure how to implement secure schema validation on document creation and update.
If I understand security rules, it is possible to:
Limit who can perform operations (update, read, write, etc.) on documents
Limit operations allowed based on field conditionals
Limit operations allowed based on custom functions (post w/ examples)
My concern is that because of the client side nature of the requests, a savvy user could utilize their authentication and some client side code to .set() any field or map/object to any value they want unless a security rule prevents it. It appears I could use very complicated custom functions to validate the data received. I could also validate every update and create through a Cloud Function API, but I am attempting to use the Firestore database itself whenever possible.
Am I right to be concerned about the potential for users to abuse their .set() field creation abilities on authorized documents (i.e. documents with minimal userId rules)?
Is there an accepted way to create security rules that prevent client abuse of documents that don't have custom functions that validate the schema?
You should always consider malicious users, and how they might affect your data, no matter whether you write the validation in security rules or in more traditional code in Cloud Functions.
Compare these two statements from your question:
"I could use very complicated custom functions to validate the data received"
"I could also validate every update and create through a Cloud Function API"
In both cases you're writing custom code to ensure the data the user enters is valid according to your business rules. Since these rules are specific to your business, there's no way to prevent you having to write them. The only difference is where you write these business rules. With Cloud Functions you're writing the validations in regular JavaScript code, in an environment you may already be familiar with. With security rules you're writing the validations in a domain-specific language, which you'll have to learn.
I personally far prefer writing my business rules into Firestore's server-side security rule language, and then use Cloud Functions for implementing business logic on top of that validated data.
If you are worried that user might just reverse engineer your app and mess up your code to harm your database, then yes this is possible. You should have proper rules set. Talking of updating data in database from app, try to update it through cloud functions as far as possible. This way you might need to give less access to your users to the database directly.
You can check my answer here. This will help you setting rules and some ways to code adapt your app code based on situation. The answer also has some lines on where can one use cloud functions to reduce direct contact with the database.
And if there is no know or you feel the information should be directly updated to the database, change your rules to this: ".write": "$uid === auth.uid" .
Here $uid is name of parent node and can be anything else. This way a user can access his/her data only and even if the user modifies your app, they can harm their data only. (You should have correct rules set).
You can check out this link for most of the rules combinations.
And do check the answer whose link is above. That might clarify how it will secure your database to some extent. If you can provide any particular situation regarding your app and want some information for how to set rules there, feel free to drop a comment :-)
So if I have an E-commerce App that doesn't require Login/Auth, and my users buy in the store, then after verifying the transaction the backend writes the order in the database.
The thing is that my Realtime Database just relies on Stripe transaction key (i.e, someone has paid for an item) to be able to write on the DB, because my rules are set so anyone can write, otherwise I would need every user to log in, but that's not what I want.
Firebase recently notified me that my rules are weak.
How can a make sure my users are able to write to my database in a secure way for my app, without log in/Auth?
There are many different security models you can use with Firebase, and it's important to understand the level of security each provides.
One thing to look into is anonymous auth which lets you "authenticate" a user without actually requiring them to provide any credentials. This provides a way to guarantee that the same device is being used between multiple reads/writes.
In your specific case, it sounds like you might be looking to rely on unguessable tokens. This can be a valid security model for some use cases so long as the key is sufficiently complex as to be unguessable.
At its most basic, the way you'd structure security rules for unguessable URLs is something like:
{
"rules": {
"transactions": {
"$key": {
".read": true,
".write": true
}
}
}
}
This allows users to read/write specific nodes at e.g. transactions/abc123xyzunguessable but importantly does not allow reading/writing to the parent transactions node. Security comes from the fact that only the person who originally got the unguessable token will be able to provide it again in the future.
A better implementation would gate writing on the $key matching the expected unguessable format, adding validation and other read/write rules to ensure that the data is formatted appropriately, and probably also prevent modification of key fields.
These are just some pointers but should help you on your way. The important thing is to make sure that you never leave important information in a place where it can be read through easily guessable URLs.
There is no "secure" way to allow writes to Realtime Database without Firebase Authentication. Without Firebase Auth, either there is full public access, or there is no public access at all.
If you can't use Firebase Auth, what you will need to do instead is make your security rules disallow all direct access to the database from client applications, then create backend APIs to manage access to the database. Your backend APIs will need to somehow validate that the person making the request should have the ability to make the required changes. Then, it will have to use the Firebase Admin SDK to commit those changes to the database.
I'm starting with firebase and i've a very basic question
in firebase rules for database i've:
{
"rules": {
".read": true,
".write": true
}
}
According to google it means that anyone can read and write on database.
My question is who anyone?
Let me clarify:
I don't want to force the user of my app to login, nor to have an account on google in order to use it.
this project is not shared with other people, other apps or any other stuff
is it possible to somebody to access the data stored in firebase? if yes how?
again if yes, what should i do to protect the data without forcing users to have credentials?
true here mean there is literally no protection of your data. Anyone who has the tools, and the name of your Firebase project, is able to fully read and write all your data. It should be considered that your database has extreme privacy concerns, which is especially bad for the data you're storing about your users.
Anyone can use something as simple as the REST API to access your entire database (or delete your entire database) with one request.
Without Firebase Auth, you should restict all access through some other protected API that you control. It's outside the scope of this question to fully explore how to set up that other API.
Referring to:
{
"rules": {
".read": true,
".write": true
}
}
You can imagine that the boolean value for the read and write as a security gate where true is open access and false is dead end. By stating it "true" means that people could just access your database (somehow) without even using your app.
Your points are:
This app is only for private used.
This app will not and never be distribute to other non-relevant people.
But, how do you make sure other people won't attack/ access your database? People could still access your database through browser controls (JS, Angular etc.).
Do remember, reverse engineering is possible, they could obtain your database information as well as your firebase credential JSON file, which could make your data in risk.
No matter what, it is advisable you restrict the security rules. My recommendation is to implement a simple role based security rule to prevent abusive and unauthorised API call usage.
More of a theoretical question, but I am interested in the correct way that public data should be accessed from a Firebase realtime database. This is data that is viewable just by going to a webpage (no sign in needed). In the past I would create an anonymous account, but this seems inefficient (for each viewer of the site) and seems like I might as well set .read to true in the rules so that no accounts are needed to access the data.
However, it seems like Firebase generally advises against setting .read to true within the rules, so I was wondering what the correct convention here would be.
Generally speaking, setting .read to true is used for testing purposes, where you don't need authentication and where there are no sensitive data of your users. If the content of your app does not contain data that need to be private, then you can use this settings but if you decide in the future to add authentication and you want to store sensitive data about your users in your database, it's mandatory to secure your Firebase database using Firebase Realtime Database Rules.
Hope it helps.