I know this is a duplicate question but none of them helped me
I use Firestore for storing little amount of data... which will be deleted after some minutes which contains no personal information. I have my own authentication system for logging users in. The users have read and write permission in the Firestore. The problem is application is in production and I keep getting Firebase warning mail that 'Your Cloud Firestore database has insecure rules'.
i have published Firebase rule as
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
I have gone through many reference and I figured it out that for secure data we have to you it's own authentication. or is there any solution for it..?
If you are not using Firebase Authentication, then there is no solution for secure per-user access. If you have a different auth system, you will have to integrate Firebase into that using a custom auth provider.
If you have to allow users to read-write with security rules. You can use the cloud function. Cloud function has administrative access. It bypassing the security rules. You have to create Rest API for Firestore read-write operation. Cloud functions doest not require user authentication.
Related
I'm using firebase anonymous authentication and firebase realtime database with persistence. This question is about if I've to do anything to keep authentication valid.
I understand from firebase folks' helpful responses in stackoverflow that if we use standard auth providers, firebase ensures that the auth token don't expire. For example, this comment and this answer:
Anonymous authentication tokens do not expire and are persisted to disk between runs of your app
That said, can I conclude that even if database persistence is enabled, once the user is authenticated s/he remains authenticated until logged out (or authentication revoked specifically for this user) across app and device restarts?
I'm not sure since the documentation of Enabling offline capabilities of Realtime database mentions this
If your app uses Firebase Authentication, the Firebase Realtime Database client persists the user's authentication token across app restarts. If the auth token expires while your app is offline, the client pauses write operations until your app re-authenticates the user, otherwise the write operations might fail due to security rules.
This makes me wonder if I need to do anything to keep the authentication active across app and device restarts. I'm not interested in the token per se. I'm just interested in keeping the authentication valid until sign out.
That said, can I conclude that even if database persistence is enabled, once the user is authenticated s/he remains authenticated until logged out (or authentication revoked specifically for this user) across app and device restarts?
Database persistence has nothing to do with the Firebase anonymous authentication. According to the official documentation regarding Firebase Realtime Database persistence:
When you enable disk persistence, your app writes the data locally to the device so your app can maintain its state while offline, even if the user or operating system restarts the app.
And to answer the second question:
I understand from firebase folks' helpful responses in StackOverflow that if we use standard auth providers, firebase ensures that the auth token doesn't expire.
Yes, that correct. I answered a similar question. Please see the link below:
Can Firebase anonymous UID expire on its own on Android/iOS SDK?
I am really concerned about the security of my data which I would be storing in Firestore, I want to know If someone somehow can extract google-services.json file from my android app or use some other tools to access my Firestore database. Is it possible If yes how can I prevent it?
If your app uses Firebase services and makes use of google-services.json, then yes, anyone can extract that data.
The issue for app developers isn't how to lock down that data (impossible), the issue is how to protect database and storage data to only those users who should be able to access it. The only solution for this is to use Firebase Authentication to verify the identity of people accessing your app, and use security rules to determine who should be able to read and write data.
There are currently no alternatives to this. If you don't require users to sign in using Firebase Auth, and your security rules allow universal access to data, then anyone on the internet who knows the name of your project will be able to access that data. Again, there are no exceptions to this. If your data is readable and writable to the world, then you will need to accept the potential billing consequences for this.
Again, learn about security rules for the products you use: Realtime Database, Firestore, and Cloud Storage.
If security rules are not feasible for your requirements, then you will need to set up a backend service that you securely control, and route all client access through that backend. You will want to make clients pass a Firebase Authentication token to your endpoint so it can validate access using the Firebase Admin SDK.
You should setup Cloud Firestore Security Rules to limit access to the data. Here is an example:
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
Take a look at Get started with Cloud Firestore Security Rules for more details.
This question already has answers here:
How to make firebase storage only available to users of the app
(2 answers)
Closed 3 years ago.
I need to access read/write images from firebase storage. There is no authentication facility. How can I restrict the data management through app only.
Existing rules to provide public access is
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write;
}
}
}
There is no way to limit access to the files through the Firebase SDK to your application only. That approach simply doesn't work in a cloud-based environment.
Also see:
Restrict access to Firebase storage so only my app can access it
How to allow only my app to access firebase without a login?
Locking down Firebase DB access to specific apps
How to make firebase storage only available to users of the app (which I just now found, and of which your question is a duplicate)
While these are usually about other Firebase products, the same logic applies to Storage.
You will need to describe in your security rules what can be done to the files in Cloud Storage through the Firebase API, and then (if needed) who can do those things by using Firebase Authentication too.
Note that using Firebase Authentication doesn't necessarily require the user to provide credentials, as Firebase provides an option to sign in anonymously. This simply gives each user a secure, unique ID, which you could for example use to allow users only access to files they uploaded themselves (and many other use-cases).
As per docs
Cloud Storage stores your files in a Google Cloud Storage bucket, making them accessible through both Firebase and Google Cloud
Although firebase directly doesn't support that but google cloud has the option to restrict API to specific application package name signatures only. I tried for MAP sdk, but theoretically storage should work also.
We are using in out app Google sign in but also have function to "skip authentication"
For authenticated user we have the following rule
function isSignedIn() {
return request.auth != null;
}
For "skip authentication" we are not using anonymous Firebase login, using kind of local caching mechanism.
The question is the a way to add rule for "skipped users" with some hardcored obfuscated token?
It's not possible to send extra information along with a query in order to authorize the query using security rules. This is not secure, as anyone would be able to bypass the rules simply by knowing the "password" in this case. All identity-based authorization must go through a Firebase Authentication user account - there are currently no alternatives.
I have an android app which is using Firestore as database. I need to make it secure but I am not using authentication service as it is not required.
I was thinking if I can sent a unique ID from android app which can be recognised in Firestore rules and only users(people using my app) can read or write to Firestore.
Below is my security rules -
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow readwrite ;
}
}
}
I expect my Firestore database to be safe from non-users.
I was thinking if I can sent a unique ID
You can't pass arbitrary values to security rules. To send that securely and get it into the security rules, you will have to pass it into the user's authentication token as a custom claim.
But even if you do that, what will keep a malicious user from finding that same secret values (it must be available in your app after all), and passing it into the security rules in the same way.
Coming to think of it, anonymous authentication and custom claims may be your solution. Use anonymous authentication on the client to generate a UID for the user, then (on a trusted environment, such as your development machine, a server you control, or Cloud Functions) give that user a custom claim, and check for that custom claim in your security rules.