-1

I have a Firebase Realtime database I'm using in a learning course project I'm building. I just received an email warning that it will expire in 5 days. Here's what it says:

You chose to start developing in Test Mode, which leaves your Realtime Database instance completely open to the Internet. Because this choice makes your app vulnerable to attackers, your database security rules were configured to stop allowing requests after the first 30 days.

In 5 day(s), all client requests to your Realtime Database instance will be denied. Before that time, please update your security rules to allow your app to function while appropriately protecting your data. Analysis is run daily; if you've modified your rules in the last 24 hours those changes may not be accounted for.

I don't know what that means or what to do to fix it. The email has a couple of buttons: one to view the docs and the other to edit the rules.

The docs show various rules options but I haven't a clue which to choose. When I click on the edit rules button it shows some code with comments I think indicating the expiration date but I don't know if or how I would change that code to for example add another 30 days.

I'm the only user on the database but the course has not yet gotten to adding authorization. Some of the answers I read recommended applied to Firestore instead of Realtime database and also suggested rules that were not recommended in the documents because any logged in user then has read and write access to the entire database. What should I do to fix this?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
user258081
  • 301
  • 2
  • 8

2 Answers2

0

The security rules of your database are pretty much like the source code of your app: they depend on your domain, the use-cases, and how you implemented the. So is no blanket fix for this that we can give, and switching to Firestore makes no differences as it has similar checks and warning.

If you want to just add some time to the interval check how to get a timestamp for a data. For example, to have the database accessible until June 3, 2021:

console.log(new Date(2021, 5, 3, 0, 0, 0).getTime())

The 5 in there is June, because somehow months in a JavaScript date are 0-based. ¯\_(ツ)_/¯

Meanwhile, I recommend reading about security rules before continuing on your app, and from then on developing the rules as you're developing your code.

Also see these previous questions about security rules, how to get started with the, and some interesting more advanced use-cases:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks. I did read all the prior related question and I did read the documents referenced in the Firebase warning email. It has a button that takes you to that documentation. A lot of the rule examples refer to Firestore and not Realtime. That's why I tired to make it clear which database I was using. – user258081 May 05 '21 at 02:58
  • All the links I gave above are for the Realtime Database. The timestamp format output by the code in my answer is for the Realtime Database rules. If this doesn't help you, I highly recommend showing what _you_ tried already. – Frank van Puffelen May 05 '21 at 03:05
  • This is the code shown when I click on the edit rules button: { "rules": { ".read": "now < 1620532800000", // 2021-5-9 ".write": "now < 1620532800000", // 2021-5-9 } } I'm using to separate the code section. I don't know how I can use your console.log example. I'm not sure how all those numbers relate to the commented dates. Can you help me with that? – user258081 May 05 '21 at 03:17
  • See https://stackoverflow.com/questions/67408642/what-do-these-default-security-rules-for-the-firebase-realtime-database-mean/67408643#67408643 – Frank van Puffelen May 05 '21 at 20:59
  • Hey @user258081 Did you make any progress on this? I tried explaining the default test rules in the Q&A I linked in my previous comment. – Frank van Puffelen May 09 '21 at 04:37
-1

After doing some research and reaching out to other sources for some help on this, I found that the rule codes were in fact autogenerated when I set up the Realtime database. They are Unix timestamps. While I don't know if I can now change that autogenerated rule, I did find a Unix timestamp converter (https://www.epochconverter.com/). I experimented in the firebase Rules Playground and replaced my rules code with the timestamp for a 30 day extension. I then ran a simulated read and it passed as allowed code. I then published my new rules code. Since the message warning said access would expire in 4 days, I'll update this with a comment if the rule change worked.

I also discovered that this rule will work without authentication:

{ "rules": { ".read": "true", ".write": "true" } }

and this after I write authentication code into my project:

{"rules": { ".read": "auth != null", ".write": "auth != null" } }

I hope this helps someone having the same problem.

user258081
  • 301
  • 2
  • 8
  • Well even though the changed code passed it did not take effect. I guess once autogenerated that's it. My next option will be to try the unrecommended read and write true rule until I add authentication. – user258081 May 05 '21 at 21:58
  • So, as for me, after all the help I got and much research & reading, this has never been resolved. Thanks anyway. – user258081 Sep 06 '21 at 18:46