-3

I get this annoying email from Firebase every week:

[Firebase] Your Realtime Database ***** has insecure rules

I want to silence this email.

There is an answer like this that references users: Firebase email saying my realtime database has insecure rules

My app doesn't have any users and doesn't use firebase/authentication.

How do I write my rules in such a way that this email will go away?

My database rules at the Firebase web console looks like this now:

{
  "rules": {
      ".read": true,
      ".write": true
  }
}

My firebase.json:

{
  "database": {
    "rules": "database.rules.json"
  },
  "hosting": {
    "public": "build",
    "ignore": [
      "firebase.json",
      "**/.*",
      "**/node_modules/**"
    ],
    "rewrites": [
      {
        "source": "**",
        "destination": "/index.html"
      }
    ]
  }
}

My fire.js:

import firebase from 'firebase/app';
import 'firebase/database';
import 'firebase/storage';

const config = {
  apiKey: <API_KEY>,
  authDomain: <AUTH_DOMAIN>,
  databaseURL: <DATABASE_URL>,
  projectId: <PROJECT_ID>,
  storageBucket: <STORAGE_BUCKET>,
  messagingSenderId: <YADA_YADA>,
};
const fire = firebase.initializeApp(config);
export default fire;
etayluz
  • 15,920
  • 23
  • 106
  • 151
  • 1
    Have you read the firebase docs on the subject? https://firebase.google.com/docs/database/security/resolve-insecurities – arxenix Aug 23 '18 at 20:25

2 Answers2

3

The way your rules are right now, anyone in the world can read and write the contents of your database. This is a security problem for you, and possibly a billing problem as well, as someone could fill up your database, and you get charged for it.

If your app doesn't have any users and doesn't use auth, that sounds like you're using it from backend services that you control. If you just use the admin SDK to read and write your database, you can lock it down like this:

{
  "rules": {
    ".read": false,
    ".write": false
  }
}

The admin SDK has full access to the database and ignores all rules, so this won't affect any of your code that uses it.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • I set the rules as you suggested above - my application doesn't work at all. I've attached my firebase.json and fire.js to my question. What else is necessary? `admin SDK has full access to the database and ignores all rules,` - what do you mean by this? – etayluz Aug 24 '18 at 03:38
  • 1
    So, you weren't very clear when you said your app has no users. Your app has at least one user - you. You really need to be using Firebase Auth even for your one user if you want your database to be secure. – Doug Stevenson Aug 24 '18 at 03:48
  • I wish that was written somewhere - that I'm required to use the Firebase Auth to "secure" my database. Now I have to rework my whole app. – etayluz Aug 24 '18 at 03:50
  • By the way, I'm using the Firebase Web SDK over at https://firebase.google.com/docs/database/web/start – etayluz Aug 24 '18 at 03:51
  • what is admin SDK? is that firebase token? My app has an integrated chat feature using firebase to store text and image. which config should I set? – Huy Nguyen Aug 14 '20 at 17:15
1

I found a work around.

Create a user in your Firebase web Authentication console with some email and password.

Now in you fire.js add this:

firebase.auth().signInWithEmailAndPassword(<USERNAME>, <PASSWORD>).catch((error) => {
  console.log(error.code);
  console.log(error.message);
});

firebase.auth().onAuthStateChanged((user) => {
  if (user) {
    // User is signed in.
     console.log("IF YOU DON'T GET HERE SOMETHING IS WRONG");
  } else {
    // User is signed out.
     console.log("IF YOU GET HERE SOMETHING IS WRONG");
  }
});

And in your Firebase Database rules console paste this:

{
  "rules": {
    "<RESOURCE1>": {
        ".read": "auth != null",
        ".write": "auth != null"
    },
    "<RESOURCE2>": {
        ".read": "auth != null",
        ".write": "auth != null"
    },
    "<RESOURCE3>": {
        ".read": "auth != null",
        ".write": "auth != null"
    },
    "<RESOURCE4>": {
        ".read": "auth != null",
        ".write": "auth != null"
    }
  }
}

Now that email warning will be gone.

etayluz
  • 15,920
  • 23
  • 106
  • 151