I want to add security to my firebase application so that no one can write data by only knowing firebase url. We are using Android/ iOS client applications and php server.
I need the following to be clarified.
Is authentication using token is the best way to add security (we do not need a user login)
I do not want the token to be expired. Is this possible?
Will this effect read operations from client apps which do not use this tokens?
Can I remove this authentication later so that any one can access
Firebase uses a declarative, server-side rules language to control access to data. This is covered in detail in the security docs. I'd highly recommend reading this before continuing; it would address all the questions here and save some pain later.
Authentication is indeed the simplest way to identify users and control access. Firebase provides a number of authentication methods, including Anonymous auth.
Since security rules can also depend on data stored in Firebase, and use a complex rules engine, it's possible to create any sort of dynamic combination of authenticated and non-authenticated access, role-based security, et al.
Related
I want to use firebase auth for my android and ios applications with custom backend. So I need some way of authentication for api calls from mobile apps to the backend.
I was able to find following guide in firebase documentation which suggests to sent firebase id token to my backend and validate it there with firebase Admin SDK.
https://firebase.google.com/docs/auth/admin/verify-id-tokens
But this approach does not seem to be a security best practice.
For example here https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ it is said that for API access one should use access tokens rather than id tokens.
Are there any good pattern for using firebase auth with my backend?
firebaser here
Firebase itself passes the ID token with each request, and then uses that on the server to identify the user and to determine whether they're authorized to perform the operation. This is a common (I'd even say idiomatic) approach to authentication and authorization, and if there's a security risk that you've identified in it, we'd love to hear about it on https://www.google.com/about/appsecurity/
From reading the blog post it seems the author is making a distinction between authentication (the user proving their identify) and authorization (them getting access to certain resources based on that identity), but it'd probably be best to ask the author for more information on why that would preclude passing an ID token to identify the user.
I am creating Android application with Firestore. My app does not require authentication. Is there any security rule to allows everyone read & write to firestore, but only via my app?
I have tried to find some rules, but each of them based on authentication.
Thank you for your help!
No, you can't limit access to your Cloud Firestore only to your application.
Since your application needs to know all the details that are needed to access the database, a malicious user can take those details and replicate them with code of their own.
To properly secure access to your database, you'll have to use Firebase's security rules. These are enforced on the server, so can't be by-passed by a malicious user. The logic here is that as long as the interactions with the database follow the rules you've set up, it doesn't really matter who wrote the code.
Also see:
How to enable access of firestore data to my nativescript app only?
Why is it okay to allow writes into Firebase from the client side?
Is it safe to use Firestore and its features via client only?
Scenario:
I want to create an android app which uses username and password for authentication. I decided to use firebase custom auth for that purpose.
From my android app, I am calling a firebase cloud function to authenticate the user with the provided user credentials.
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.
Source: https://firebase.google.com/docs/auth/admin/create-custom-tokens
I would like to make use of firebase firestore to store username and password and use it to create custom JWT for Firebase custom authentication in firebase cloud functions.
Question:
Should I store user credentials in firebase firestore and if yes, what is the secure way to do so. If no, how should I proceed further?
How to create JWT in firebase cloud functions if the credentials passed to the function match with the credentials in firestore.
Note:
I don't have a credential system or own a server.
If you've never created authentication systems before, I highly recommend finding an existing implementation of such an authentication system for your app. Using something that is made by folks that do this for a living, is much less likely to lead to future data leaks that would negatively affect the users of your app.
That said: if you're going to build your own system, you'll want to have a look at this example usename/auth provider in the functions-samples repo. It shows how to receive the data, how to call a backend system, and how to mint a custom token.
For some information on how to store username/password, see Best way to store password in database. Storing this information in Firestore is a common approach, and no better or worse than storing it in any other properly secured cloud-based database.
I am making android app which authenticate anonymously, so how can i make difficult for other person to discover my firebase url that is accessed from my android app ?
Exposing your Firebase URL is not a big security risk and it is necessary to expose it in order for the users to be able to interact with your database.
To properly protect your data, you should use a combination of authentication and authorization.
The first you'd do through Firebase Authentication, which means you require your users to sign in with the app.
You'd then use this knowledge of who the users are to ensure they can only perform authorized operations on the data. For that you'd use the security rules for the Firebase Database.
If you have those two in place, you can secure the data against malicious users and share the URL without fearing them.
I can't seem to be able to implement firebase custom auth. I'm new to programming and I cant find any reference to create custom auth from scratch. My application is android based social report.
the following are my use cases :
I need an admin to manage the data (CRUD the report)
Normal user to post reports
I did some research.
Based on what I've read, I need to create custom auth to differentiate normal users and admin.
I don't know the proper way to implement my auth server. I'm thinking of putting my users data (admin and normal user) on firebase. Is it viable? Do I need to create a separate database of users on my auth server to verify the auth? Can you please explain the workflow of firebase custom authentication?
From the terse description you've given, it doesn't sound like your regular users need custom auth. They can just as easily use email+password or one of the supported social providers to authenticate. Given that you indicate being new to programming and the fact that getting authentication right is hard, I highly recommend not building your own authentication for these users.
Whether your administrators require custom authentication tokens is also debatable. From what you tell about their tasks, they are application administrators: users who fulfill a special role within the application. Those you can easily model in your Firebase security rules. As for regular users, if you can use a built-in identity provider for these administrator, it significantly reduces the chance of introducing a security hole.