Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Restricting Firebase read/write access to only myself

I have a static website which runs:

config =
  apiKey: "HIDDEN"
  authDomain: "HIDDEN"
  databaseURL: "HIDDEN"
  storageBucket: ""

firebase.initializeApp(config)

in the browser (it's compiled to javacript) to authenticate with Firebase's server.

Am I confused here? Is this a valid way to authenticate with Firebase from the browser? I got the code from their "web" tutorial, so I'm figuring it is.

Now, I need to configure my Firebase database rules so that me and only me can read & write it.

How could I accomplish this? Would this example be adequate?

this is the given example for allowing read/write to authenticated users only

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}
like image 590
max pleaner Avatar asked Aug 24 '16 22:08

max pleaner


People also ask

What are the restrictions in Firebase?

Firebase Security Rules work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths. All Rules across Firebase products have a path-matching component and a conditional statement allowing read or write access.

Can anyone access my Firebase database?

By default, your rules do not allow anyone access to your database. This is to protect your database from abuse until you have time to customize your rules or set up authentication. Describes if and when data is allowed to be read by users. Describes if and when data is allowed to be written.

What are the disadvantages of Firebase?

The cons of Firebase One of the main problems with it, is limited querying capabilities. Realtime database provides no way to filter capabilities, because the whole DB is a huge JSON file, which makes it pretty difficult to make complex queries.


2 Answers

The firebase.initializeApp(config) does not authenticate you, it merely identifies your project on the Firebase servers. It's the equivalent that you must know your home address to be able to know where to go after work. Knowing the address is a prerequisite, but it is not enough to gain access.

If you want to restrict data access to "just you", that means that you must first identify yourself with Firebase. This you do with Firebase Authentication. For example, to sign in with email+password you'd do:

firebase.auth().signInWithEmailAndPassword(email, password)

Read the documentation for email+password authentication for the full steps.

Once you're authenticated, you get a unique id; a so-called uid. You can find your uid in the Auth tab of your Firebase Console.

the Firebase Auth console showing a user's information

With this uid you can control access to the data (both database and storage). So if you copy your uid from the console and add it to your security rules, only you (or someone who knows your email+password) can access the database:

{
  "rules": {
    ".read": "auth.uid == 'e836f712-4914-41df-aa80-5ade6b8b7874'",
    ".write": "auth == 'e836f712-4914-41df-aa80-5ade6b8b7874'"
  }
}

Note that I added one of my own uids in this snippet. Just like knowing your API key or database URL is not a security risk, neither is knowing my uid. Knowing that I am Frank van Puffelen, user:209103 on Stack Overflow, does not mean that you can impersonate me.

like image 170
Frank van Puffelen Avatar answered Oct 24 '22 10:10

Frank van Puffelen


The rules in your question would allow any authenticated user to read and write to any key in the database. If you wish, for development purposes, to configure a single user and restrict access to only that user, you could use the following rules:

{
  "rules": {
    ".read": "auth !== null && auth.uid === '<your-uid>'",
    ".write": "auth !== null && auth.uid === '<your-uid>'"
  }
}

Where <your-uid> is the User UID for the user with which you wish to sign in - you can find it on the Firebase console under Auth (where you can also create a user, if you have not already done so).

Typically, Firebase would be configured so that users could create accounts and finer-grained rules would be used to give users read and write access to specific parts of the database.

like image 39
cartant Avatar answered Oct 24 '22 09:10

cartant