Menu
I've been using Firebase for quite some time, but I only now decided to really look into the security rules.
My question is, how safe is "auth !== null"? Yes, I realize that this means that only an authenticated user can access the data, but how easy is it to become authenticated? Can someone sign up for the app, and then use those credentials to GET request right into my database?
Like I said, I'm new to Security rules, so I'm sorry if this is an obvious question.
Here's my security rules:
{
"rules": {
"Users": {
"$user_id": {
".write": "$user_id === auth.uid",
".read" : "auth !== null",
"shoofers" : {
".write" : "auth != null"
}
}
}
}
}
Thanks!
Neil
864
A user can authenticate via anonymous, email/password, various OAuth providers and phone number sign in. You can enable/disable either of them. Your root rule above allows read only access to any authenticated user via any of the mechanisms stated and write access for a specified user to their own data. It is very difficult to fake sign in. The database will always check that the request has an ID token (when auth is not null). ID tokens use public-key cryptography and are hard to fake without possession of the private key.
84
You can give users access to the database either after sign in authentication or with out authentication. But it is good and safe to allow users to access your database with authentication
with authentication security rules are
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
and without authentication
{
"rules": {
".read": "auth == null",
".write": "auth == null"
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
