1

hi i'm working with angular and firebase, in a web app, if i open the browser tools on console, i can see the connection keys to my firebase it's very bad.

the rules in firebase is the solution at this problem. but all answers i found are based on auth of users and on my web app is not necesary auth. how i can set rules so that only my web app can read and write without users auth. because if i create another projec and i use the same keys i can map the database and anyone can update the data thanks p.d. my rules actually are read=true and write=true, this allows anyone to read and write.

{
  "rules": {
    ".read": "true != null",
    ".write": "true != null"
  }
}

P.d. my web app is hosted in Firebase Hosting thanks again

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Diego Rivon
  • 39
  • 4
  • `s/"true != null"/true/g` / replace `"true != null"` with `true` please, as it's a bit more idiomatic to say that something is always true that way :) – Frank van Puffelen May 30 '19 at 19:33

1 Answers1

1

This is not possible with security rules. If you don't restrict usage with Firebase Authentication, that means anyone with an internet connection can read and write your database.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • 1
    thanks Doug but how i can set firebase Authentication without auth users, is there another way so that only my web app can read and write? maybe a token from servers side and validate it in rules? thanks. – Diego Rivon May 30 '19 at 19:07
  • See https://stackoverflow.com/questions/52018041/locking-down-firebase-db-access-to-specific-apps – Frank van Puffelen May 30 '19 at 19:34
  • You could use Firebase Authentication anonymous authentication, which doesn't require a login, or use custom tokens, but you will need to use the Firebase Auth SDK either way. – Doug Stevenson May 30 '19 at 19:41
  • thanks to both, i can see that anonymous auth is a simple way but which prevents anyone from doing this also in a project that is not mine and that obtains a uid to modify data? thanks again – Diego Rivon May 30 '19 at 20:37
  • Sorry, I don't understand your question. It sounds like maybe you have a whole new question about Firebase Authentication and not Realtime Database. – Doug Stevenson May 30 '19 at 20:39
  • Anonymous authentication works without requesting user credentials. But any developer with your configuration data (which is readily available in/from your app) can sign in as an anonymous user, and then run whatever code they want. You should never trust that the code accessing your Firebase resources is the code that you write, which is why you should usually require users to sign in. – Frank van Puffelen May 30 '19 at 20:55
  • But one example of using anonymous authentication is to grant users only access to their data. Anonymous authentication works fine there, since the UID can't be spoofed by another user. So even with anonymous sign in, you can limit the user's access to just their own data, as shown here: https://firebase.google.com/docs/database/security/user-security – Frank van Puffelen May 30 '19 at 20:56
  • thank you Frank, but if anyone can modify theirs datas with anonymous uid, through another app, the data from firebase can not be reliable – Diego Rivon May 31 '19 at 00:23