8

I have a static website which runs:

config =
  apiKey: "HIDDEN"
  authDomain: "HIDDEN"
  databaseURL: "HIDDEN"
  storageBucket: ""

firebase.initializeApp(config)

in the browser (it's compiled to javacript) to authenticate with Firebase's server.

Am I confused here? Is this a valid way to authenticate with Firebase from the browser? I got the code from their "web" tutorial, so I'm figuring it is.

Now, I need to configure my Firebase database rules so that me and only me can read & write it.

How could I accomplish this? Would this example be adequate?

this is the given example for allowing read/write to authenticated users only

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
max pleaner
  • 26,189
  • 9
  • 66
  • 118

2 Answers2

14

The firebase.initializeApp(config) does not authenticate you, it merely identifies your project on the Firebase servers. It's the equivalent that you must know your home address to be able to know where to go after work. Knowing the address is a prerequisite, but it is not enough to gain access.

If you want to restrict data access to "just you", that means that you must first identify yourself with Firebase. This you do with Firebase Authentication. For example, to sign in with email+password you'd do:

firebase.auth().signInWithEmailAndPassword(email, password)

Read the documentation for email+password authentication for the full steps.

Once you're authenticated, you get a unique id; a so-called uid. You can find your uid in the Auth tab of your Firebase Console.

the Firebase Auth console showing a user's information

With this uid you can control access to the data (both database and storage). So if you copy your uid from the console and add it to your security rules, only you (or someone who knows your email+password) can access the database:

{
  "rules": {
    ".read": "auth.uid == 'e836f712-4914-41df-aa80-5ade6b8b7874'",
    ".write": "auth.uid == 'e836f712-4914-41df-aa80-5ade6b8b7874'"
  }
}

Note that I added one of my own uids in this snippet. Just like knowing your API key or database URL is not a security risk, neither is knowing my uid. Knowing that I am Frank van Puffelen, user:209103 on Stack Overflow, does not mean that you can impersonate me.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks, Frank, it's great to know your team is watching out for noobs, and I'm excited to start building with Firebase. – max pleaner Aug 25 '16 at 05:41
  • I look forward to seeing what you build Max! – Frank van Puffelen Aug 25 '16 at 14:57
  • 1
    I know comments are mean't for saying thanks here, but @FrankvanPuffelen this answer has helped me so much! I've been looking for this basic info, which for some reason seems like basic info is always left off of Firebase docs. Thanks! – Adam Feb 13 '17 at 07:59
  • @FrankvanPuffelen: I've been wondering: Is it any less secure to use a rule like `"auth.token.email == 'my-email@gmail.com' && auth.token.email_verified == true"`? (PS: These exact fields may or may not be specific to newer versions of Firebase.) – mhelvens Nov 04 '18 at 18:37
3

The rules in your question would allow any authenticated user to read and write to any key in the database. If you wish, for development purposes, to configure a single user and restrict access to only that user, you could use the following rules:

{
  "rules": {
    ".read": "auth !== null && auth.uid === '<your-uid>'",
    ".write": "auth !== null && auth.uid === '<your-uid>'"
  }
}

Where <your-uid> is the User UID for the user with which you wish to sign in - you can find it on the Firebase console under Auth (where you can also create a user, if you have not already done so).

Typically, Firebase would be configured so that users could create accounts and finer-grained rules would be used to give users read and write access to specific parts of the database.

cartant
  • 57,105
  • 17
  • 163
  • 197