0

I am new to Firebase Database and I am not planning to use the Firebase Authentication.

Is it possibile to set Firebase Database rules based on the Firebase Instance ID, rather than on the authenticated User ID ?

This is the structure I am thinking to implement:

/instanceIDs
    /iid1
         /somedata
         /someotherdata
    /iid2
         ...
    /iid3
         ...

and I would like to restrict read/write permission only to that specific instance ID

anyone can show how to set such rule?

Otherwise, if I set read/write to true for all users, what is the security risk? If my native mobile app code only reads/writes on the specific instance ID branch, can I expect some security issues?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Daniele B
  • 19,801
  • 29
  • 115
  • 173

1 Answers1

3

The Instance ID in an app that uses Firebase Cloud Messaging identifies the installation of that specific app on that specific device. This value is not available in Firebase security rules.

While it sounds like an interesting idea to secure based on this instance ID, it would in longer term not work. The Instance ID can change over time, and every time that happens, the device would lose access to its data.

Access to Firebase (database and storage) is typically based on the user of the app. Unlike the Instance ID, the user's ID is stable over time: meaning that the same user will always have the same UID and thus have access to the same resources. If you don't want to ask your users to sign in, you can use Firebase's anonymous authentication.

PS: if you feel like experimenting with using the Instance ID to secure access, you can easily pass the Instance ID to a server, mint a Firebase Authentication token from it (you could use Cloud Functions for this), and then use that custom token to sign in.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • HI Frank, thanks for the reply. The reason to use Instance ID is because I am interesting in storing preferences even without the burden of user login/authentification. My app doesn't require login, but I still would like to store user preferences and trigger Cloud Functions based on these preferences modifications, for managing FCM notifications. – Daniele B Jun 27 '17 at 13:59
  • Frank, you are saying that the Instance ID can change over time, but I thought the (rare) token rotation wouldn't affect the Instance ID, which we can assume it doesn't change unless we programmatically decide so? – Daniele B Jun 27 '17 at 14:12
  • Instance ID can indeed change over time. If you want to identify a user/device without asking the user to sign in, consider using anonymous authentication: https://firebase.google.com/docs/auth/android/anonymous-auth – Frank van Puffelen Jun 27 '17 at 14:23
  • Here (https://firebase.google.com/docs/reference/android/com/google/firebase/iid/FirebaseInstanceId) it's stated that the Instance ID can only change in these 4 cases: 1) App deletes Instance ID; 2) App is restored on a new device; 3) User uninstalls/reinstall the app; 4) User clears app data – Daniele B Jun 27 '17 at 14:38
  • Are all of these cases where you want the user to lose access to their previous data? If so, you could implement an auth provider that uses instance ID as I described in my last paragraph. – Frank van Puffelen Jun 27 '17 at 16:21
  • I would like the user to KEEP (not to lose) access to its previous data, without asking him to login in. I have found a previous question (https://stackoverflow.com/questions/39640511/how-to-prevent-firebase-anonymous-user-token-from-expiring) where you answered that the anonymous user sessions don't expire anymore after 3.x SDKs. If that is true, I believe it could make sense to organize the database by userID, rather than by InstanceID, don't you think? And if it's true that InstanceID doesn't change (look at my previous link), I could store the InstanceID as a field under the user, right? – Daniele B Jun 27 '17 at 18:05
  • Yup. Those sound correct to me. I added a note about anonymous auth to this answer too. – Frank van Puffelen Jun 27 '17 at 18:21
  • Frank, thanks for updating the answer. To clarify, can you confirm that: 1) the Anonymous user session never expires, unless `FirebaseAuth.getInstance().signOut()` is called, and it also survives app updates (but not uninstall/reinstall) and Firebase version updates; 2) the InstanceID always stay the same, unless: a) App deletes InstanceID; b) App is restored on a new device; c) User uninstalls/reinstall the app; d) User clears app data. Many thanks! – Daniele B Jun 27 '17 at 19:07
  • Frank, I think in the documentation (https://firebase.google.com/docs/auth/android/anonymous-auth) you should clearly state that the anonymous authentication is not "temporary" (as it's written), but it does persist indefinitely (even app updates) until the SignOut() function is called. Otherwise you will keep having people like me asking for clarifications. – Daniele B Jun 27 '17 at 21:31
  • Noted. Please click the "Send Feedback" button at the top of the documentation page for that sort of feedback. That ensures it ends up at the right desk. – Frank van Puffelen Jun 27 '17 at 21:43