0

To my understanding, Firebase data can be accessed in the browser by appending the node name and .json extension.

For example, opening this url https://tinderclone.firebaseio.com/profiles.json, you will see a bunch of json data.

So how can I restrict the data from anyone to access? Since the data may contain sensitive information.

rattanak
  • 1,498
  • 2
  • 13
  • 17

1 Answers1

1

This is the purpose of Firebase Security and Rules: https://www.firebase.com/docs/security/guide/

You define rules using a JSON syntax that restrict who can and cannot read and write your data. You can also define rules that restrict the permissible values of your data.

for example:

{
  "rules": {
    "profiles" : {
      ".read": "auth != null"
    }
  }
}

would only allow users who are authenticated whilst making the request to view the profiles object.

Because using the standard JSON syntax can get very complex and verbose, Firebase has created a couple of open source compilers/transpilers for these rules:

But for most simple projects, just using the JSON syntax is fine.

Alex Klibisz
  • 1,313
  • 1
  • 14
  • 21
  • Does the above rule mean that once a user is logged in, he/she can read all the profiles? Putting a hacker hat on, how do they grab all user profiles after they authenticate themself with a fake profile. – rattanak Feb 13 '16 at 07:47
  • 1
    That will all depend on how you structure the profiles, how you allow users to login, and how you restrict/allow access to further profiles. For example, you could restrict access to each user's profile such that only that user could read/write it. Or you could restrict it so that only the user can write but everyone who is logged in can read. The options are extensive, so I would highly recommend reading through the documentation quickstart (linked in my answer). It's a strange/intimidating concept at first but will be clear after one or two passes through. – Alex Klibisz Feb 13 '16 at 07:50
  • Thanks for the links and open source compilers. It seems that when I applied the rule, the json data cannot be accessed directly in the browser even I am logged in, which is what I need for now. – rattanak Feb 13 '16 at 07:55
  • Good to hear, you can do a lot of detailed things with these rules. For most devs I've worked with it's daunting at first but you get the hang of it quickly. – Alex Klibisz Feb 13 '16 at 19:34
  • one thing I can't wrap my head around. If someone were to take my firebase uri: `https://tinderclone.firebaseio.com`, then develop on it locally, would they be able to use my firebase data then? because it is client side only. Let me know if I need to clarify my question. – rattanak Feb 15 '16 at 07:20
  • Yes, anyone can read/write your data if you don't set rules for read/write access. But you can set read/write rules that restrict this. For example, you could use `".read": "auth != null"` to make it so that a user has to be authenticated (using one of the auth options on your Firebase dashboard) in order to read a specific piece of data. It's tough to give a specific answer in a comment, so if you have a more specific example of data you are trying to restrict access to, either edit this one or post a new one. – Alex Klibisz Feb 15 '16 at 14:13
  • I asked another question over here: http://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification – rattanak Feb 15 '16 at 20:09