I've got Firebase Database working on iOS.
Everywhere the doc tells me that using
{
"rules": {
".read": true,
".write": true
}
}
Will make the DB open to "the world". So I want to limit access to my app only. The doc says how to append user auth and rules according til this.
But I just want general auth for the app, not per user.
How do I achieve that?
Thanks,
Related
I'm trying to write a project using Realtime Database (firebase) and Angular. Lately I've been trying to learn how to use roles in a project (user, manager, admin, etc.). Did I understand correctly - in the case of using Realtime Database, it is impossible to create roles. Instead, you need to use the rules in the database:
rules: {
"adminContent": {
".read": "auth.token.admin === true",
".write": "auth.token.admin === true",
}
Everything was very good until I read:
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken () method.
What does "your server" mean? I am using Realtime Database and firebase authentication and this is not enough and I need server?
Maybe there is an easier way to add roles to the Realtime Database, I just haven't found it?
Here's what I want to achieve:
I have an iOS frontend, a Vapor backend, and a Firebase storage bucket. I have an app where a small portion of the functionality is being able to add images to some Note objects. When the user attaches an image to a Note, I want to upload the image to the bucket, get the key/url where it's stored, and store that in the backend DB. All that is simple enough, except - I want the bucket to be accessible ONLY by my iOS code and my backend code, so not just publicly accessible by anyone.
The backend is covered via the service account stuff. but I'm not sure about how to cover the iOS side. Firebase generated this basic rule to prevent public access:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
I believe this rule allows only Firebase-authenticated users to use the bucket, but I do not plan to authenticate my users through Firebase. Is there a way I can set up rules such that the bucket is only accessible via my own iOS code? Should I essentially just create a single Firebase user, and have the app authenticate as that user on every app launch? Can I configure Firebase such that it uses some secret that allows it to perform storage operations that get past the rules?
**edited for clarity
As #jnpdx commented, have a look at Firebase's anonymous authentication, which allows you to sign in (and identify) users without asking for credentials. Based on that you'll then want to ensure that each user can only read the files they're authorized for.
While if request.auth != null may seem good for that initially, I find it's often better to start with the principle of least privilege - and for example have some form of content ownership based access rules.
Finally, also have a look at Firebase App Check which was introduced earlier this year, and works together with the attestation providers on your phone to reduce the risk of unauthorized code being used to call the Storage APIs.
All,
I have been working on an Android App that uses firebase realtime database, cloud store and authentication. It's never going into production on the google play store - however I am worried that in a few days time, the access to the database will be denied because I don't have 'strong' rules - whatever 'strong' are.
Currently, the rules are set as follows:
"rules": {
".read": "auth.uid != null",
".write": "auth.uid != null"
}
}
The database and all functionality work great - what can i do to add to these rules to satisfy firebase that I now have 'Strong' rules - or at least prevent access from being denied in 30 days - as I need this app to show the functionality of the database etc.
Thanks
Automatically when you change your Firebase rules it will be propagated throughout all the database, there is no need for users to update your app, what you need to be sure is that the users have any login provider (google,facebook) because these rules are saying that only authenticated users can read and write into the database.
If you post this rules without an authentication provider from Firebase, your users will see a blank screen and they will not be able to read/write, if you have implemented a login system with any provider you would be fine
I'm creating a registration to an app that I'm developing but I can't seem to read the information I'm storing on my firebaseDB.
My rules on the firebase are already
"rules": {
".read": true,
".write": true
I've tried some youtube tutorials but even after doing the exact same thing it didn't work.
I'm using Firebase to handle my Google OAuth login for my website. Does anyone knew how to restrict the users who have access to the application? For example, I only want x#gmail.com, y#gmail.com, and z#gmail.com to successfully be able to log in via google to my application.
I wasn't sure if this was a Firebase or Google question, but any help would be much appreciated.
Firebase's authentication handles only that: the authentication of users through any of the mechanisms you enable. Whether those users have access to your data is called authorization and it is handled through the security rules of your Firebase.
So:
Authentication allows the user to identify him/herself with your application. See Firebase's documentation on authentication (for JavaScript/Web, but it exists for all supported platforms).
Authorization limits read/write access to your data to specific users, based on their authentication. See Firebase's documentation on its security rules.
Limiting access to your data to specific email addresses is certainly possible. I recommend that you read Firebase's documentation on its security rules and try to make it work based on that. If you have any problems, post what you've tried and we'll be able to help you better.
These rules will allow anybody to login, but only the listed email addresses to read or write data:
{
"rules": {
".read": "auth.email == 'x#gmail.com' ||
auth.email == 'y#gmail.com' ||
auth.email == 'z#gmail.com'",
".write": "auth.email == 'x#gmail.com' ||
auth.email == 'y#gmail.com' ||
auth.email == 'z#gmail.com'"
}
}