2

In my AngularFire app I am not authenticating users individually as we are using another auth system. The app works currently because the rules are not set

{
    "rules": {
        ".read": true,
        ".write": true,
    }
}

The app is authenticated and I can get an anonymous access token per user.

What do I need to change in my Angular app and rules so that only my app is allowed to read and write? For example this is an example of a real-time database request.

@NgModule({
   imports: [
       BrowserModule,
       AngularFireModule.initializeApp(environment.firebase)
   ],
   declarations: [ AppComponent ],
   bootstrap: [ AppComponent ]
})

get(loc) {
    return this.db.object(loc).valueChanges();
}

basically what do i do in my angular app to make the auth status available in the rules? right now i can anonymously auth but what do i do with that data so the database knows?

Omar
  • 2,726
  • 2
  • 32
  • 65
  • I'm not 100% sure what you are asking when you say `so that only my app is allowed to read and write?`... Do you mean that you are trying to set up the security rules so that your app can read/write to your DB no matter what, regardless of whether the current user is logged in? Or that only when your app has a user who is authenticated/logged-in can read/write? If you're using custom auth tokens then your security rules [can access properties of your custom auth token](https://firebase.google.com/docs/database/security/user-security#section-custom) – JeremyW Dec 27 '18 at 13:50
  • ^^Or, are you trying to make it so that your app can never interact with the database, and instead you make calls to different cloud functions that handle database the interactions for you? Or are you concerned with someone getting your database information from your app, creating a fake app, and using that to mess up your DB? – JeremyW Dec 27 '18 at 13:53
  • My app currently has permissions `true`... So anyone can read or write to the database. I need to secure it so that only my app or domain can have access to the database... once my user auths what do i do with the token so the my database rule can verify that the request is accompanied with a valid token? – Omar Dec 27 '18 at 14:37
  • basically what do i do in my angular app to make the auth status available in the rules? right now i can anonymously auth but what do i do with that data so the database knows? – Omar Dec 27 '18 at 14:44
  • To secure it for a particular domain, check out the answer by "now" in [this question](https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public) where "now" explains how to secure your api key for a particular domain. – JeremyW Dec 27 '18 at 15:00
  • Auth info is already available in the rules section by default, in fact, the auth info is sent to the server with every request automatically. You can access the details of that auth token by referencing `auth.token` in the rules, per the link in my first comment. – JeremyW Dec 27 '18 at 15:02
  • HOW DOES FIREBASE KNOW THAT MY USER IS AUTHENTICATED!? My users are authenticated with Anonymous sign in. when i set my rtdb rules to "auth !== null" my users still do not have access. so am i supposed to pass user data in the data requests to realtime database? – Omar Jan 03 '19 at 15:24

1 Answers1

0

Try this Role-Based User Access Control With Firebase

Andriy Yushko
  • 395
  • 5
  • 21