I have these rules in my Firebase Real-time Database:
{
"rules": {
".read":"auth !== null && auth.uid === 'my_uid'",
".write": false
}
}
When I try to read the data without authentication, access is denied. So far, only my app can read it successfully.
Still, I'm getting an email from time to time, from Firebase, that my rules are not secure and that everyone can read the data.
What am I missing here?
Related
Ok I have a Realtime database connected to a app and till today the rules ( read and write ) were set to true , everything was working fine ....but every time a message pops up saying
Your security rules are defined as public, so anyone can steal, modify, or delete data in your database
I tried few things but data was not accessed...data was only accessible when the rules were set to true
but is there any way to modify the rules to make it more secure
I want this Data to be accessed by only few known apps ( My Apps )
Start here in the docs and work your way through. It's very practical and easy to understand.
data was only accessible when the rules were set to true
Firebase RTDB has a public URL, so anyone can try connecting to it. It is your job to decide whether they can do this or not. If your rules for any path/node look like this, it is available to anyone who makes a request:
{
".read": true,
".write": true
}
If you only want to allow users of your app to connect to RTDB, you can use Firebase Auth and use conditions like this:
{
".read": "auth != null"
".write": "auth != null"
}
I want this Data to be accessed by only few known apps ( My Apps )
Access is determined on a user level, not by app. Start here in the docs.
but is there any way to modify the rules to make it more secure
Either in the Firebase Console, or deploy them via the CLI. If you're new to this, start with the Firebase Console and use the Rules Playground to test different rules. See docs for more information.
So unless someone has access to my Google account or a app /web integrated with my database... No one can access the data even if the rules are set to true, am I right ?
Your database is not "integrated". It is a deployed instance that is reachable via a public URL - that's how your clients connect to RTDB. If your rules allow any read or write operation, then your database is wide and open for everyone. Hence, the email that you have received informing you that this is not secure.
{
"rules": {
".read": "auth.uid !== null",
".write": "auth.uid !== null"
}
}
Currently accepted Rule docs
I can't get permission to database.
In xcode console I am getting this message:
[Firebase/Database][I-RDB038012] Listener at /skelbimai failed: permission_denied
So I went to firebase database, then Rules and changed like this:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write;
}
}
}
And still I cant read write from database. Where I missed something?
The rules you changed are the rules for Cloud Firestore, while the error message is coming from the Firebase Realtime Database.
You'll need to switch your console from the Realtime Database to Firestore. To do so:
Go to the Firebase database console
Select Realtime Database
From here on the console will stick to showing the realtime database, unless you switch again.
If you already have the console open on one database, you can switch to the other by clicking on the dropdown next to Database and selecting the database you want to manage:
To grant full access to anyone, use these rules:
{
"rules": {
".read": "true",
".write": "true"
}
}
Please only use this for early development stages, as having your entire database publicly read-and-writeable makes it very easy to abuse.
Try Following
Goto Database -> Rules then
copy and paste it
{
"rules": {
".read": "true",
".write": "true"
}
}
I'd like to have my users sign up with a unique username and password (rather than email + password). I have everything working where I:
Sign up
Check if the provided username already exists
If not, then use FIRAuth.auth()?.createUserWithEmail and store the username in the db with the email, e.g.
users
QZqFzWxpdMfc0xmyIq5IDAr1bzr2
credentials
email: "myemail#gmail.com"
username: "MyUsername"
RJasdfasfasdad3dadaewdsdkdq3dk
credentials
email: "another#gmail.com"
username: ""Another
Sign in
Query the db to get User associated with the username and use that to get the email address and use FIRAuth.auth()?.signIn(withEmail: withEmail to log in
While this approach work, I'm wondering how this would work with Firebase permissions?
In order to get the email address associated with the username, I'm going to have to let all users access my email address / username data, e.g.
{
"rules": {
".read": true,
".write": "auth != null"
}
}
Does this mean that a 'hacker' could get the email addresses of all the users who have registered with my app? If so, is there a way to do this securely?
Well to answer your question if anyone can get data if the rules are set to true: yes, I can query everything from every user when I am registered. Do not do this unless you are testing. Write database rules: only Firebase Database can access every data and check the unique name for you. Simple example:
{
"allusernames": {
".read": false,
".write": "!data.exists() && newData.exists()"
}
}
When you get an error in your code, with other words the write failed, you know the username is taken.
Ok. I am unsure about a few things with Firebase and its security and I was hoping that you guys would help me clear a few things up and also this might be a great topic to get some noob questions cleared up.
1. Does FIRAuth.auth() manage tokens and connections?
I have very simple code in my project:
if let user = FIRAuth.auth()?.currentUser {
// Do Stuff
}
Is this all I need to do? How does this connect to Firebase? By this I mean is this data sent via GET/POST or is it encrypted? Should I be generating tokens and authentication and then checking that?
2. Is this sufficient rules to stop access to the DB?
I have defined some rules in my database:
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"score": {
"$user_id": {
".write": "$user_id === auth.uid"
}
}
}
}
What I want to achieve here is the ability to save a score value in the DB. However, the database should only be accessible to the user logged in and also the entry with the user_id also. They should not be able to access another players score.
3. Can I test these rules?
Is there a way to have dummy users and privileges in the console so I can test these? If so, how?
4. Is it possible to have SQL injections if there is no SQL database?
Are there other methods I should be trying to stop, for example stopping MITM attack, etc.?
Appreciate all answers.
I'm using the Firebase iOS SDK and part of my app experience is group chat. I have a class for each group chat and store a reference to the firebase object as follows:
self.firebaseMessages = [[Firebase alloc] initWithUrl:[NSString stringWithFormat:#"%#/Message/%#", FIREBASE_URL, chat.objectId]];
I then observe each event I'm interested in. This works very well. I use custom auth with JWTs and my issue is when the token expires or the user logs out / in and I re-authenticate. At that point, the callbacks stop firing for the events I'm observing unless I completely restart my app. I know the re-auth was successful because I get a success callback and authdata in the AuthEventWithBlock. When I set values, the database updates and other clients receive those updates. It's just the client that re-auth'd that no longer receives updates.
I've dumbed down my security rules to eliminate that as a possibility:
"Message": {
"$message": {
".read": "auth != null",
".write": "auth != null"
}
}
I re-auth on the root URL:
Firebase *ref = [[Firebase alloc] initWithUrl:FIREBASE_URL];
[ref authWithCustomToken:responseObject[#"auth_token"] withCompletionBlock:^(NSError *error, FAuthData *authData) {
I've tried re-auth on each message URL as well. Also tried re-instantiating all of my Firebase objects.
Also note that I am using [ref unauth] on the root to log the user out and to simulate a token expiration.
What am I missing?
Kato's comment is the solution. Make sure to re-establish event listeners if you lose authentication and re-auth.
Also worth nothing that all of the data will also flow back in when the listeners are re-established. If you're on a screen that streams data from those listeners - like a group chat, you will likely receive data that is already being displayed. Easy enough to handle, though.