I'm currently evaluating Firebase. In my application I allow users to create entities (custom exercises) which are stored in SQLite DB now. I want to move this to FB, but I have a question.
I want to allow users to authenticate to be able to sync their exercises with other devices. Fairly standard use case. But I don't want to force users to have an account with my app, so they can use it anonymously as long as they want and don't need the sync. Is there a way to disable syncing with the server when they are anonymous? This makes no sense to sync anonymous data with server, because they won't be able to pick it up anyway, so, should they change a device or factory reset, they will get a new ID and that data will become abandoned.
So what I want is while a user is anonymous - to keep his stuff local only in Firebase RTDB, but, as soon as he logs in, sync it. Is that possible?
Thanks.
The Firebase Realtime Database is a cloud-hosted database, that continues to work for brief to intermediate moments where you are not connected to the network. If you're looking for a database that works for indefinitely periods of offline, with only a potential synchronization at some point, the Firebase Database might not be a good fit at the moment.
If I understand your question correctly, you should be able to use the database rules to achieve the desired behavior.
Set read to be global, while write is restricted to authenticated users only. When an anonymous user makes an account, the user therefore gains write access and all the local data can then be pushed onto the database.
Related
I've created an app, which uses the Firebase Realtime Database.
I have a pretty big problem with the security rules. My users don't need to login use the app, they can send the data to the database without any authentication.
For example: it's a simple game, they can play with each other, then they can save the scores.
I would like to create a secure database, but anyone can write & read it. What is the best solution? Anonymous authentication?
If you don't secure your database, anyone can write any score.
Worse, anyone can write their own app to use your database, and you'll then end up paying for it. If you don't want this, write rules that only allow the exact interaction that is valid for your app.
If you don't want to require (even anonymous) authentication, at the very least write validation rules that ensure the data that is written follows the business rules of your app and code. That at least makes it less interesting for others to abuse your database for their own purposes.
Anonymous auth is better than no auth at all. But you will need to take care to write rules that allow each user appropriate access to whatever parts of the database they should have access to. Simply allowing all anonymously auth'd users to read and write everything is still not really "secure" at all.
I have an app that uses SQLite to store the users' data (stats and such). The app doesn't require users to sign up or log in. I would like to add the capability for cloud syncing of data to the app, so Cloud Firestore sounds like a great fit. However I don't want to force users to sign up or log in if they don't want to use cloud syncing features.
Is there some clever way to use Firestore locally without having to log in users? That way I could convert the SQLite data to non-relational format once and have one place where the data is stored. Otherwise I'd have to maintain and update two databases - one for users who don't want to sign up/log in, and another for those that do.
Cloud Firestore doesn't require users to sign in. You can easily use Firestore without having the users sign in. I do this all the time, since data in my apps is often simply shared between all users without any sense of ownership.
However: finding a user's data in a cloud-hosted database requires that you're able to identify the user. If you already have a way to identify them, then you can continue to use that identification with Firestore.
If you don't currently have a way to identify users, I recommend looking at Firebase's anonymous authentication. This is a completely transparent, non-interactive way to add a user identification token.
I have a pre-populated SQLite database for my Android app and I need to do some reads to show elements for an autoCompleteTextView and then other few operation, only reads on the database.
In the past days I've read about SQLCipher and Cloud Firestore by Firebase. SQLCipher seems what I was looking for but I read that I can't use it with a pre-populated database. I think that Firestore (or any other cloud service) it's my only other solution but I'm a little worried about the price and the possibile delay between the input on the ACTV and the server results.
The database does not contain any user information or other sensitive data, I just want to protect my work. I've no need for the strongest protection.
Can I use Firestore with my SQLite database? Are there any other solution for my problem? Thanks!
If you want to use Firebase, you need to know that there is way in which you can secure your database very simply using Firebase Database Security Rules.
Firebase Realtime Database Rules determine who has read and write access to your database, how your data is structured, and what indexes exist. These rules live on the Firebase servers and are enforced automatically at all times. Every read and write request will only be completed if your rules allow it. By default, your rules are set to allow only authenticated users full read and write access to your database. This is to protect your database from abuse until you have time to customize your rules or set up authentication.
If you want to use the new Firestore release (which is currently in beta release) please take a look at Secure Data in Cloud Firestore offical documentation for more informations.
Another thing to note is that also Firebase and Firestore can provide offline capabilities. So the pplications will work even if your app temporarily loses its network connection. So there is no need for other database in order to achieve that.
Another thing to note is that Firebase can provide Anonymously Authenticatin.
As a conclusion Firebase can provide you security, even your app does or does not contain any user information or other sensitive data.
I use Firebase Database and Storage to host some pictures for my Android app. Those pictures are only uploaded by me from the Firebase web interface. The Database and Storage have rules so only authenticated users can read and nobody is allowed to write. (So there is NO user generated content, I just need a place to host graphics for my Android app).
The reason authentication is required for read access is to make sure nobody else uses the pictures in another app (or website). For the authentication I create (only) anonymous accounts. (They are created automatically on first app start).
My question is about the anonymous user accounts: Will these ever be deleted when they aren't used anymore? Every time I clear data (or reinstall) my app, then another anonymous user account is created.
Is this something I should worry about or is this normal behaviour? Is there anything I could improve in my situation? Please note that this part of my app is not yet live for all users, so I can change stuff if needed.
Firebase Authentication does not automatically delete accounts.
But no data is maintained on the server for anonymous accounts, so effectively every time your users lose their anonymous authentication token, that account is forgotten by Firebase Authentication.
You can use Cloud Functions for Firebase along with some scheduling mechanism to periodically delete unused accounts. There is sample code on GitHub.
I understand that having security is on the top of our "TO-DO" list, we all need it and want it. But i don't understand what could happen if I don't use security rules in my Firebase database.
Currently, I'm developing an app and the way I did it, I haven't implemented security rules to work with the app, so .read and .write is just set to true. User has to log-in through Facebook though to be able to send requests.
I have tried to implement the security rules to work with the app, but I have some bugs, so does it really bother if it stays that way? Is there any way someone could send a "bad" request? What are the risks?
With write set to true anybody who finds your app URL could delete your whole database. They could change whatever they want. Android, ios or websites, nothing is safe as they will be able to find the URL easily.
In addition to Mathew's answer you'll also want to think about abuse to your database.
Any user who knows the URL of your database can:
write any data to your database. So by dumping data, they could push your database over its quota and make your app unusable for your actual users.
use your database for their own uses. They'd be eating up your bandwidth quota. Once your quota has been consumed, your app may become unusable for your actual users.
The above apply to the Spark and Flame plans. If your project is on a metered plan, malicious users can drive up your usage and thus your bill.
Your Firebase Rules generally helps you take care of Server side security. and ensures your data are secure and database protected from malicious user.
So Authenticating a user does not in anyway hep protect your database.
So if you dont have rules in place you could lose all your data. An Authenticated user can simply use a sigle line of code " ref.remove() " and viola all you data in your data base is gone so easy.
So please always ensure you write security Rules to make you firebase database secured.