4

I understand that there are Realtime Database Rules which can be configured to restrict access to data at multiple levels. That's great.

What about hosting? Are 'Members Only' webpages secured exclusively by the Realtime Database Rules? In other words, the client side Javascript could look at the firebase.auth().currentUser; properties to determine what form, table, card, section, or whatever to switch from CSS display:none to display:inline, for example. However, the HTML is already downloaded to the client so that's not really secure.

So, is the idea to go ahead and download the page but use Realtime Database Rules to determine if the page details gets filled with sensitive data? Is that the idea?

I have even stored markup (HTML) in the Realtime Database and that actually worked fine.

Any recommendations are appreciated.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Ronnie Royston
  • 16,778
  • 6
  • 77
  • 91
  • My question acknowledges the public nature of Firebase hosting but seeks advice on how to architect members only / private pages. Is storing markup in the Realtime Database OK/recommended? Public forms with no data until pulled via authorized Realtime Database rules seems to be how to implement members only views. Just looking to see what others think / recommend. – Ronnie Royston Jul 29 '16 at 16:18

1 Answers1

5

Firebase Hosting doesn't have any kind of access control presently, and you're correct that the HTML/JS/CSS will all be downloaded even if you're hiding and showing it based on Firebase Auth state.

Depending on your application, that may actually be just fine! Since you can control what users actually do using Firebase Database security rules, it isn't really a big deal if users can dig into the code and see functionality that they can't actually utilize.

If it is important to hide the capabilities of the application, you could dynamically load JS/HTML from the database or Firebase Storage only after authorization.

Michael Bleigh
  • 25,334
  • 2
  • 79
  • 85