0

I have Firebase real-time database set up that holds some basic non-sensitive data. I have a website built on NextJS that uses this data as content basically fetching the data via the API. The website is public facing without the need to log in.

I currently have the database rules set to

{
  "rules": {
    ".read": true,
    ".write": false
  }
}

But Google wants me to add some kind of authentication I presume as I received an email saying

We've detected the following issue(s) with your security rules: any user can read your entire database

Given that my website is public facing and simply using the database to add content to the page without the need to log in to the website, is there a way to tell firebase, it is only my website reading the data without having a login or authentication being required or at least done behind the scenes?

I'm new to Firebase and databases in general so don't fully understand the docs or if there is a way to do this.

I know it needs a uid to authenticate, but I keep reading that you need a login to get this. So I don't know if I can somehow set it somewhere in my website that only my website is always logged in or authenticated, so that Firebase can read this every time my website fetches the data.

i-am-niall
  • 152
  • 1
  • 12
  • "Google wants me to add some kind of authentication to this so that the database can't be read-only to everyone." => What do you exactly mean by that? Are you referring to the email you received about your DB being non-secured? – Renaud Tarnec Oct 11 '21 at 12:20
  • Does this answer your question? [Firebase email saying my realtime database has insecure rules](https://stackoverflow.com/questions/51392059/firebase-email-saying-my-realtime-database-has-insecure-rules) – Frank van Puffelen Oct 11 '21 at 13:55
  • See https://stackoverflow.com/questions/51392059/firebase-email-saying-my-realtime-database-has-insecure-rules/51393449#51393449, https://stackoverflow.com/questions/66185274/firebase-email-saying-my-realtime-database-rules-has-insecure-rules, – Frank van Puffelen Oct 11 '21 at 13:58
  • Hi Frank, thanks for your input, I'd already had a look at this question previously, but it doesn't fit what I'm trying to do as far as I can tell. – i-am-niall Oct 11 '21 at 14:04
  • @FrankvanPuffelen I'm got an email saying my db is insecure because of the read access true rule. It's been like this a year and the email said it will be deactivated if the rule isn't changed. The database doesn't allow write access as per the rules above. I only need to read from it but I don't need to sign in to do so. – i-am-niall Oct 11 '21 at 14:08
  • @FrankvanPuffelen I'm just pulling the data in asynchronously and using the data as content on my public facing website. – i-am-niall Oct 11 '21 at 14:10
  • 1
    You might want to read https://stackoverflow.com/questions/51392059/firebase-email-saying-my-realtime-database-has-insecure-rules/51393449#51393449 again, as I added a section about App Check to it jut before linking it here. Also see my answer here from over the weekend: https://stackoverflow.com/questions/69510018/firebase-your-realtime-database-has-insecure-rules/69510132#69510132 – Frank van Puffelen Oct 11 '21 at 14:33

0 Answers0