Recently I started to learn and work with Firebase and I have a doubt with their Storage Service.
I'm just using Firebase Storage to upload files from my Android App. I'm not using Firebase Auth Service, because I use my own backend for authenticate users.
Firebase Storage is working and the files are being upload with success, but I'm receving a strange warning exception (that's not avoiding the upload to be success):
E/StorageUtil: error getting token java.util.concurrent.ExecutionException: com.google.firebase.FirebaseApiNotAvailableException: firebase-auth is not linked, please fall back to unauthenticated mode.
I don't want to create users with Firebase, because I handle this in my backend...
Why I'm faceing this warning? If I need to authenticate users just to stop this warning, can I create a "Application Level User"? I don't need to authenticate separeted users for this because all files are shared among users...
The Firebase SDK for Cloud Storage works with the Firebase Authentication SDK to help the Cloud Storage backend know who the active user is. This is how Cloud Storage security rules work. Without the linkage between these two products, you wouldn't be able to write security rules that allow or reject access to certain users.
If you're not using Firebase Authentication, then you can just ignore that message. But this also means that you have to enable full read and write access to everyone at the path in your storage bucket that your users upload to. In other words, anyone in the world can freely modify your storage bucket, and that could become a problem for your app.
If this isn't what you want, consider using Firebase Auth to do custom authentication with your backend so you can be sure that only authenticated (and possibly authorized) users can modify your storage bucket.
Related
This question already has answers here:
How to make firebase storage only available to users of the app
(2 answers)
Closed 3 years ago.
I need to access read/write images from firebase storage. There is no authentication facility. How can I restrict the data management through app only.
Existing rules to provide public access is
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write;
}
}
}
There is no way to limit access to the files through the Firebase SDK to your application only. That approach simply doesn't work in a cloud-based environment.
Also see:
Restrict access to Firebase storage so only my app can access it
How to allow only my app to access firebase without a login?
Locking down Firebase DB access to specific apps
How to make firebase storage only available to users of the app (which I just now found, and of which your question is a duplicate)
While these are usually about other Firebase products, the same logic applies to Storage.
You will need to describe in your security rules what can be done to the files in Cloud Storage through the Firebase API, and then (if needed) who can do those things by using Firebase Authentication too.
Note that using Firebase Authentication doesn't necessarily require the user to provide credentials, as Firebase provides an option to sign in anonymously. This simply gives each user a secure, unique ID, which you could for example use to allow users only access to files they uploaded themselves (and many other use-cases).
As per docs
Cloud Storage stores your files in a Google Cloud Storage bucket, making them accessible through both Firebase and Google Cloud
Although firebase directly doesn't support that but google cloud has the option to restrict API to specific application package name signatures only. I tried for MAP sdk, but theoretically storage should work also.
How to export users who have downloaded the mobile apps?
Firebase can export the list of Authenticated users but there seems to be no built-in way to get the users who have downloaded the mobile apps:
https://firebase.google.com/docs/cli/auth
-- My specific use case --
I want to give a free purchase ticket only to the first 5000 +- users who have downloaded the apps.
Firebase Authentication has no built-in way to track from what platform a user accesses your app.
The closest I can think of is to set the user's ID in Google Analytics for Firebase, and track the platform there.
The alternative would be (as Joshua commented) to have the native apps write a for for each user to a database (like the Realtime Database or Cloud Firestore). If you choose this approach, you'll have to find a way to secure that write though. Here too Firebase doesn't have anything built in to only allow writes from certain platforms, so it's up to you to come up with a security scheme.
Im currently building an app, back-end and front-end and I use Firebase for saving pictures that the users can upload and download, up till now I've been uploading them from the front-end and if the upload is successful then I send the image link with the rest of the data to the back-end, but as Im saving firebase credentials (in order to connect) in the app, now Im questioning if it would be better/safer doing it all in the back-end, sending all the information (image included) and the let back-end upload the image to firebase. I don't how how secured are those credentials being of the app
I usually handle things in the front-end if the Firebase SDK has what I need. The only common reasons not to do this, is when there is a requirement to do them in the back-end. This is only common for operations that: require a lot of memory/CPU/bandwidth, require access to secret information (e.g. an API key for a payment gateway), or where the code itself is secret (e.g. detecting cheats in a game, or malicious messages in a chat app).
In your case for example, uploading directly from the front-end to Cloud Storage is a great reason to use the Firebase SDK. Doing so means that Firebase takes care of the encoding, of retrying, of security, and many other things. If you'd want to introduce your own server in the middle, you'll have to write the (client and server) code to handle all of that yourself.
Note that the keys that Firebase tells you to add to your app through the google-services.json are not credentials, but merely configuration data that the app needs to find your Firebase project on the servers. For more on this, see my answer here: Is it safe to expose Firebase apiKey to the public?
But that said, with the configuration data anybody can call Firebase API methods on your project. So you need to secure access in some way, to prevent other users from coming up with their own code that uses your project.
The common way to do this is by using Firebase Authentication on the client to sign the users of your app in. You'd then use the Firebase security rules to limit who can read/write what files in Cloud Storage.
I am working on an android application connected with firebase.
As we know that the api key and database name as being stored in strings.xml in apl file so they can be easily extracted.
As I told one of my friend his email-id and password for testing purpose.
The issue is that he was able to see all the data in the firebase realtime database by using the restAPI.
I had used sha1 but since the firebase is responding to the other links.
Is there any other way in which the firebase will respond to the request generated by the android app and not any web or ios.
Credentials for accessing Firebase are not platform specific. Once you know the credentials of a user, you can access the platform as that user.
For this reason you should never share your credentials with someone else, but instead give them access to your project with their credentials.
The simplest way to fix your problem now is to change the password of your account. After doing that, the other user will lose access within an hour.
The configuration data that is added to your Android app through google-services.json is just configuration data. It is in no way meant as authentication for your app. For more on this see Is it safe to expose Firebase apiKey to the public? and How to prevent other access to my firebase.
I have images saved to my Firebase storage and I only want users using the app to be able to access them. I don't want to force my users to login just to use the app, so that is not an option.
Since the Firebase back-end services are hosted in the cloud, they are by nature accessible by anyone. There is no way to limit their access to only people that are using the code that you write. Any developer can download the SDK, rewrite your code and use that to access the same back-end services.
That's why you secure access to Firebase data (whether structured data in the database or files in storage) through user-based security. Making your users sign in to the app, means that you can identify who is accessing the data. Once you've authenticated the users, you can use Firebase's security rules (for database or storage) to ensure they can only access the data they're authorized for. They may still be using other code, but you'll at least know who they are and be assured that they can only access the data in ways you authorized.
You can get the best of both worlds (requiring users to be authenticated, without requiring them to log-in) by using anonymous authentication. Just keep in mind that there too, any developer can download the Firebase SDK and authenticate the user anonymously.
For an older discussion on the topic (for the database, but it applies equally to storage), see How to prevent other access to my firebase
Basically you want to change the Rules of your Storage. Under the Firebase console and in Storage there are two tabs in the top of the frame. One that says file and one that says Rules. If you click the Rules tab you will get a view of the code that defines who can read and write to and from your storage. You will want to follow the link below to set up the correct rules for your storage. But based on what you want all you have to do is set the read write code to be:
allow read: if request.auth != null;
Check out this link: https://firebase.google.com/docs/storage/security/user-security