Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I specify read access for known paths but disable enumeration in Firebase Database?

Tags:

firebase

firebase-realtime-database

firebase-security

I'd like to specify rules in Firebase such that a path can only be accessed if it's known.

/root
  /messages
    /message1
    /message2
    /message3

If you access /messages you can receive a permission denied (or nothing).

If you explicitly access /messages/message2 you get the contents.

Update 1: Expected behaviour (iOS)

FIRDatabase .database() .reference() .child("invitations") .observeEventType(.Value, withBlock: { snapshot in

// snapshot returns nothing or permission denied. })

FIRDatabase
  .database()
  .reference()
  .child("invitations/message1")
  .observeEventType(.Value, withBlock: { snapshot in

  // snapshot returns message1
})
like image 670
Scott McKenzie Avatar asked Oct 29 '25 08:10

Scott McKenzie

1 Answers

This is not an answer, but I believe the OP is asking how to prevent enumeration of the nodes under a given node, while allowing anonymous access if the user knows the DIRECT path of a given node.

I too, have been trying to figure out how to do this. Basically, I'm trying to post semi-sensitive data under a given node, while making the name of the node available securely through a different means. However, I don't want to implement a "security/user" model within Firebase. I'd simply like to use Firebase similar to an Amazon S3 bucket, where if you know the location of a key, you can download the file/data stored at that location, while still preventing enumeration/listing of the nodes within the database.

An example of such usage would be if you generate the keyname using a crypto digest such as SHA2. The key couldn't be easily generated, yet if you knew the key, you could access the node directly. Does anyone know how to do this?

EDIT: I figured out how to do this in Firebase. The solution is rather simple. Here is an example of the JSON security rules in Firebase:

{
    "rules": {
        "users" : {
          ".read": false,
          ".write": false,
          "$child" : {
            ".read" : true,
            ".write" : true
          }
        },
        "chats" : {
          ".read" : false,
          ".write" : false,
          "$child" : {
            ".read" : true,
            ".write" : true,
          },
        },
        "comments" : {
          ".read" : false,
          ".write" : false,
          "$child" : {
            ".read" : true,
            ".write" : true
          },
        },
        ".read": false,
        ".write": false
    }
}

In this example, any node under "users", "chats", and "comments" is directly accessible, but enumeration is no longer possible.

like image 75
arashb31 Avatar answered Nov 01 '25 13:11

arashb31
Sign in to Comment

Related questions

Firebase Functions - push notification when new document is created
Appium support on Firebase Test Lab
Firebase Analytics on iOS Share Extension
firebase safari error Messaging: This browser doesn't support the API's required to use the firebase SDK
Firebase transaction reads null at path even when there is data at that path
How to use FieldValue.serverTimestamp in application models
How do I implement firebase's Timestamp as a valid type?
Unable to find method 'com.android.build.api.variant.SourceDirectories$Flat com.android.build.api.variant.Sources.getByName(java.lang.String)'

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!