Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does using Firebase Anonymous authentication allow me to secure my Firestore data and Cloud functions to only be accessed by my application?

Tags:

firebase

google-cloud-functions

I'm creating a mobile app that does not have any reason for the users to authenticate. However I don't want other people to write apps or websites that can access my data in Firestore, or call any of my Cloud Functions.

Does this mean I need to implement Anonymous Authentication and then write access rules that require the request to come from an authenticated user?

Or is there a way to write the rules to just say they must come from my application?

like image 596
dakamojo Avatar asked Jul 19 '18 05:07

dakamojo

People also ask

How does anonymous authentication work in Firebase?

You can use Firebase Authentication to create and use temporary anonymous accounts to authenticate with Firebase. These temporary anonymous accounts can be used to allow users who haven't yet signed up to your app to work with data protected by security rules.

How secure is Firebase authentication?

The short answer is yes: by authenticating your users and writing security rules, you can fully restrict read / write access to your Firebase data. In a nutshell, Firebase security is enforced by server-side rules, that you author, and govern read or write access to given paths in your Firebase data tree.

Does Firebase authentication use Firestore?

To build user-based and role-based access systems that keep your users' data safe, you need to use Firebase Authentication with Cloud Firestore Security Rules. Note: The server client libraries bypass all Cloud Firestore Security Rules and instead authenticate through Google Application Default Credentials.

1 Answers

We had the same problem: an app for deployment to many people where it needs to be able to only read from firestore documents, but another admin app (actually just a web page) that will not be distributed, that needs to be able to write to those documents.

Our solution is to:

  • create another user for the database, with email and password authentication. (We are not allowing users to create accounts -- just having the one static email/password we've created.)
  • use only anonymous login for the regular app
  • have email/password signin for the "admin app".
  • add rules like these for each document:
      allow read;
      allow write: if request.auth.uid == 'notshowingyououridhere-sorry';

We are using ionic with typescript, so the code to do the user/password login is relatively simple:

      firebase.initializeApp(credentials);
      firebase.auth()
        .signInWithEmailAndPassword('[email protected]', 'sorrynotshowingyouourpassword')
        .catch(err => {
          console.log('Something went wrong:', err.message);
        });


      firebase.auth().onAuthStateChanged((user) => {
        if (user) {
          // User is signed in.
          const isAnonymous = user.isAnonymous;
          const uid = user.uid;
          console.log('onAuthStatChanged: isAnon', isAnonymous);
          console.log('userid', user.uid);
        } else {
          console.log('onAuthStateChanged: else part...');
        }
      });

Hope this helps.

like image 131
VictorNorman Avatar answered Nov 15 '22 00:11

VictorNorman
Sign in to Comment

Related questions

How to use APNs Auth Key .p8 certificate in Firebase console
Firebase invites - facebook and twitter options
observeSingleEvent(of:with:) fetching old data
Calling AppEngine from Firebase Functions
Firebase Invalid API key
Firebase Authentication results in Error Code "auth/network-request-failed"
Firebase crash report contains stack trace with <OR>
Use multiple google-services.json and GoogleService-Info.plist files in one flavor/target
(Firebase Databse in Unity) missing classes.jar in Temp during build for Android
Firebase Javascript + P5.js: Asynchronous function getting in the way of redrawing the canvas
Unable to receive FCM Topic Messaging on iOS 9.2
Firebase dynamiclink onSuccess nor onFailure getting called
Multiple projects on one domain
Firebase Auth - User not logged in after Firebase sign up and redirect
Firebase in iOS project causing drop in code coverage numbers
firebase dynamic link preview link not working with facebook messenger
Android + Firebase Auth + REST API: How to properly work with token?
Using firestore.Timestamp.now() in Angular unit test
Firestore stops updating after losing and regaining an internet connection
Why Firebase and Google Analytics metrics doesn't match?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!