I have two firebase apps. They need to access common files, so the Firebase storage is on one app. What rule should I add in Storage rules so that only these two apps get access and not anyone else? Currently I am using public setting in the rules.
Related
This question already has answers here:
Is there any way to give everyone access to firestore database, but only via app?
(1 answer)
How can I set Rules in Firebase so that only my app can write on my database firestore?
(1 answer)
Closed 2 years ago.
I am currently building two apps(admin and customer) and both have added in a single firebase project. Both apps are using Firebase Auth(Phone Number) registration process. The admin app is mostly saving details in Firestore DB and the customer app is only can fetch these details for viewing purposes.
Currently, I don't define any rules for them as I am a little new in Firestore/Firebase Rules. But I am wondering to add some rules which will give permission to fetch only those apps which I have added in the same Firebase project where my admin app is. I may be wrong but I think anyone can able to access my admin data by if they will get those names or keys which I am using in my Collections.
So is there any way or rules which will give the data accessing permission to specific apps that I have added in my same firebase project?
There is no way to limit access to "just this app" in Firebase security rules. Anyone can take the configuration data from your app and use it to call the same API as you app uses.
For this reason you will need to make sure that your security rules model the logic that you want. You'll typically replicate some of the data access logic between your client-side application code, and the server-side security rules. This means that you're modeling who can take certain actions, not what code/application they use to do that.
Also see:
How can I set Rules in Firebase so that only my app can write on my database firestore?
Is there any way to give everyone access to firestore database, but only via app?
How to enable access of firestore data to my nativescript app only?
and many more from these previous questions about the topic
I could not find this anywhere, but..
How does Firebase provide security on the persistence of user sessions in Android? So, a user logs in, and he can now perform certain actions corresponding to his privilege, obviously the auth token and other data is hold somewhere for the android app to send to firebase. Where? How is security enforced?
Thanks
Android provides the security, and Firebase doesn't really have to do anything special. On Android, each app is provided a dedicated per-app local storage space that only the app process itself can read and write. No other apps can access this. This is where the token is stored. According to the Android documentation:
App-specific storage: Store files that are meant for your app's use only, either in dedicated directories within an internal storage volume or different dedicated directories within external storage. Use the directories within internal storage to save sensitive information that other apps shouldn't access.
Any app can use its own dedicated space to store data securely. This is what the Firebase SDKs use.
What I can say from my experience with firebase auth store current login user info
in share preference i.e. APP_SHARED_PREFERENCES inside that here is column for firebase auth com.google.firebase.auth.api.Store.{some random string} inside that you can find key value pairs as follows
Key com.google.firebase.auth.FIREBASE_USER value > current login user info
key com.google.firebase.auth.GET_TOKEN_RESPONSE value > token value for user
you can find this using this library
for debugging database in debug mode
This question already has answers here:
How to make firebase storage only available to users of the app
(2 answers)
Closed 3 years ago.
I need to access read/write images from firebase storage. There is no authentication facility. How can I restrict the data management through app only.
Existing rules to provide public access is
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write;
}
}
}
There is no way to limit access to the files through the Firebase SDK to your application only. That approach simply doesn't work in a cloud-based environment.
Also see:
Restrict access to Firebase storage so only my app can access it
How to allow only my app to access firebase without a login?
Locking down Firebase DB access to specific apps
How to make firebase storage only available to users of the app (which I just now found, and of which your question is a duplicate)
While these are usually about other Firebase products, the same logic applies to Storage.
You will need to describe in your security rules what can be done to the files in Cloud Storage through the Firebase API, and then (if needed) who can do those things by using Firebase Authentication too.
Note that using Firebase Authentication doesn't necessarily require the user to provide credentials, as Firebase provides an option to sign in anonymously. This simply gives each user a secure, unique ID, which you could for example use to allow users only access to files they uploaded themselves (and many other use-cases).
As per docs
Cloud Storage stores your files in a Google Cloud Storage bucket, making them accessible through both Firebase and Google Cloud
Although firebase directly doesn't support that but google cloud has the option to restrict API to specific application package name signatures only. I tried for MAP sdk, but theoretically storage should work also.
I am using firebase as backend for my android app. I recently came across database security rules. In my app, any user can access only some specific data to which I have created a DatabaseReference to, in the code of the app. So why do we need security rules if I specify the portions of data the user can access through the app, in the code itself?
Because your code can easily be changed to do whatever an attacker wants. The rules one the server can't be changed or circumvented in any way, except by knowing how to log in to your Google account.
I have images saved to my Firebase storage and I only want users using the app to be able to access them. I don't want to force my users to login just to use the app, so that is not an option.
Since the Firebase back-end services are hosted in the cloud, they are by nature accessible by anyone. There is no way to limit their access to only people that are using the code that you write. Any developer can download the SDK, rewrite your code and use that to access the same back-end services.
That's why you secure access to Firebase data (whether structured data in the database or files in storage) through user-based security. Making your users sign in to the app, means that you can identify who is accessing the data. Once you've authenticated the users, you can use Firebase's security rules (for database or storage) to ensure they can only access the data they're authorized for. They may still be using other code, but you'll at least know who they are and be assured that they can only access the data in ways you authorized.
You can get the best of both worlds (requiring users to be authenticated, without requiring them to log-in) by using anonymous authentication. Just keep in mind that there too, any developer can download the Firebase SDK and authenticate the user anonymously.
For an older discussion on the topic (for the database, but it applies equally to storage), see How to prevent other access to my firebase
Basically you want to change the Rules of your Storage. Under the Firebase console and in Storage there are two tabs in the top of the frame. One that says file and one that says Rules. If you click the Rules tab you will get a view of the code that defines who can read and write to and from your storage. You will want to follow the link below to set up the correct rules for your storage. But based on what you want all you have to do is set the read write code to be:
allow read: if request.auth != null;
Check out this link: https://firebase.google.com/docs/storage/security/user-security