I use Firebase Database and Storage to host some pictures for my Android app. Those pictures are only uploaded by me from the Firebase web interface. The Database and Storage have rules so only authenticated users can read and nobody is allowed to write. (So there is NO user generated content, I just need a place to host graphics for my Android app).
The reason authentication is required for read access is to make sure nobody else uses the pictures in another app (or website). For the authentication I create (only) anonymous accounts. (They are created automatically on first app start).
My question is about the anonymous user accounts: Will these ever be deleted when they aren't used anymore? Every time I clear data (or reinstall) my app, then another anonymous user account is created.
Is this something I should worry about or is this normal behaviour? Is there anything I could improve in my situation? Please note that this part of my app is not yet live for all users, so I can change stuff if needed.
Firebase Authentication does not automatically delete accounts.
But no data is maintained on the server for anonymous accounts, so effectively every time your users lose their anonymous authentication token, that account is forgotten by Firebase Authentication.
You can use Cloud Functions for Firebase along with some scheduling mechanism to periodically delete unused accounts. There is sample code on GitHub.
Related
I wanted to know if when there's an firebase authentification, it's possible to get the source of this authentification?
To know if it's from my iphone app, android app or web app.
Why :
My web app isn't on the web, but on local server. I want to distribute this web app with server (It's for a personnal project but it could have 10 prototypes). So everybody can get my firebase config. And I don't want that someone can create account from the web firebase api because I accept google/apple and email/password auth. I can't disable email/password for my project purpose.
I hope this is clear.
To be more clear, if the email/password auth is created, is it possible to know if it's from android app or iphone app or webapp?
Thanks
The provided APIs for Firebase Auth don't give any indication which platform was used to create the account. Firebase intends for all accounts to work across all platforms using the provided SDKs and APIs accessible for each platform.
If you want to record your own per-user data in a database, you're free to do that. Note that this is not really "secure" in that each user could effectively manipulate your database or APIs to indicate whatever they want about their platform. If you do not have this sort of security in mind, then you can simply trust your own code to write, and late read, the user's platform in a database after they sign up.
To be more clear if the email/password auth is created, is it possible to know if it's from the Android app or iPhone app, or web app?
Yes, it's possible. Let's say we want to know if a user has signed in from Android. When the user creates an account from an Android device, most likely you are storing user data as objects in the database. The simplest solution I can think of is to add another property in your User class, called "platform" and set it to "Android". If the user signs up with an iPhone, then set the property to "iOS". Same thing for the web. Knowing that the user might change the device, every time the user opens the app check that value against the OS the user is using. If the OS is changed, also change the value accordingly. This way you'll always know the OS the user is using. If you allow the users to use multiple platforms, for Android, there is a function called getProviderData():
Returns a List of UserInfo objects that represents the linked identities of the user using different authentication providers that may be linked to their account.
Similar functions can be found for the other platforms as well.
I have a project where one app needs to access multiple databases sharded across multiple firebase projects. Now since it's the same app, i can't use the same SHA1 across all the projects where i add the app.
I do not add any google-services.json files for any of the projects, instead i fetch the database url, the storage bucket info, the api-key and the appids for each project from my own server which keeps a track of all the sharded firebase projects.
My question is, with just this much information, can anyone just authenticate to firebase?
There's no SHA1 protection so is my db even safe even with the auth!=null rule? (since anyone can initialize FirebaseApp with this info and get a FirebaseAuth instance and sign in anonymously). In summary for this one, can anyone just make an app of their own, use the info and access/manipulate my database?
How can i secure my app if it's not secure with the current configuration
Yes, that should be enough information to create a web app that connects to your database.
But this should not be a problem if the database rules and auth providers are the right ones for your case. For example:
If you don't want anonymous Users to authenticate with your app, disable the option in the Firebase console.
If you want to give access only to a limited set of users without enabling new signups (or if you have special requirements for auth) then user a custom auth provider.
If you want to limit access to certain parts of your database (or need different user roles) adjust your database rules.
I hope that answers your question!
After a little research and a little brain storming, i came to the conclusion that Oauth domain which by default is localhost and the firebase-app domain will prevent anyone from directly authenticating to my Firebase app.
Even if the api-key and other info is exposed, as long as the service-account is hidden, the auth-domain will protect my app since the auth-domain will cause the authentication from a non-authorized domain to fail. Maybe I'll even want to remove the localhost in production :)
It's just a simple question.
I just tried to install my app which does Firebase Authenticate anonymously to
my android device.
I just found that Firebase Authentication makes new user every time I remove the app from my device and reinstall the app.
However, I want one device to have just one authentication id and not to make Firebase Authentication make duplicate users.
How can I do this? I thought I could do this by using Firebase Cloud Functions
and making it delete every users that didn't log in for a long time.
But, I'm wondering if there is any simpler solution for this.
Firebase Anonymous Authentication accounts does not persist across application uninstalls. If you uninstall the app, everything that was saved locally on user devices will be deleted, including the anonymous authentication token that identifies their accounts. There is no way to reclaim a token for a particular user and use it in the future again. You can use Firebase Anonymous Authentication to create and use temporary accounts to authenticate users in your application.
If you want to have the same token each time, you need to implement the fully log in with a supported account provider so that they can log in from all their devices without worry of losing their data or having duplicate accounts.
Say I'm building some basic not-so-secure Android app, and I want to use firebase as a DB, but I really don't want the user to login. What would be my best choice of authentication?
If I allow "Annonymous" login - will this mean a big security hole, or would it just mean that programmatically I am allowed to change data anywhere in the db?
Does firebase support automatic creation/logging of user using my own custom user/id mechanism (without any user intervention)? Docs aren't very clear about that...
Anonymous log-in just provide authentication, that means you can associate a Unique ID to each of your user.
This de facto create a user ID and a Auth Token that is persisted in the phone between runs of your app. Token is refreshed when you call signInAnonymously().
Check this link for hits on how to handle anonymous logins.
Talking about security, anonymous login is not a bad practice. Obviously if you want to keep your DB safe you have to write custom access rules:
e.g. you probably want "anon_user322" to read your page content, but definitely not to modify or delete it.
Achieving this is not so hard, you have just to go to your FirebaseConsole and write your own rules for the Database.
You can find on this page a good starting guide. I suggest to watch this talk from Google I/O 2016, it is a bit long but you will be able to understand the basic of authentication and security in Firebase Database just with the first 25-30 minutes.
I was using annoymous sign in at first but it has somedown sides like you cannot export and import the exact same user on another device. Therefore i started using password authentication. You can just generate an pseudo email via uuid#yourappdomain.com and also generate the password and keep it within the appdata.
For security purpose you wont get around setting up rules for writing and reading data but it is working quite simple and easy enough to test with both methods annonymous and passoword auth.
I am developing an Android application using Google's Firebase for the backend. I have been running through some tutorials, and they make the user sign in with their Gmail before using the app in order to read and write from the database (correct me if I'm wrong). I don't want this to be the case for the purpose of privacy and not allowing users to read and write data, so how would I not make the users authenticate with their Gmail, and instead for all reads and writes, use a general gmail specific to the app?
If I don't manually add each gmail account to the firebase console directly as either an editor or owner, then users cannot log into the app. I have been following Google's firebase tutorials found here: https://firebase.google.com/docs/auth/android/google-signin
Thanks
What you're describing sounds like Firebase anonymous authentication. Users can use an anonymous account to read and write as if they are fully authenticated, without having to go through any login process. Then, if you want, you can later give them the option to link that account to a fully identified authenticated account from an authentication provider, such as Google.
Note that anonymous accounts don't survive application uninstall, and they can't be used by the same person across different devices. If you want the user to be able to log in and out and retain use of the data your store on their behalf, you need to use an authentication provider to verify that the person is who they say they are.