0

I want to build a web (single page) application and I would like to allow every user who visits my website to read/write my database without register/login.

Firebase realtime database is my only backend. So, with shipping firebase configs to client, how can I secure my database?

berkan
  • 722
  • 1
  • 7
  • 23
  • _"with shipping firebase configs to client"_ If you are referring to the web config used to initialize Firebase SDK, that is meant to be on client side and has no risk as long as you have proper security rules setup. Also see: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Dharmaraj Nov 29 '22 at 18:43

1 Answers1

2

An anonymous user can be treated as any other Firebase user account except it's not persistent and will be lost if user logs out in any way. That being said, all users have an UID and you can write security rules as you would for permanent users.

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid"
      }
    }
  }
}

For example, the above rules will allow users to read data under a node with their UID as key only irrespective of which authentication method is used. You just need to change the rules as per your use case.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
  • what prevents someone to take my firebase configs, build a simple application, authenticate users as I did, and put petabytes of data under their $uid? – berkan Nov 29 '22 at 19:13
  • @berkan can you explain with a use case? You can write security rules in a way that allow intended data only to be added. Like a string with certain length or so. – Dharmaraj Nov 29 '22 at 19:15
  • what prevents someone to put a certain length of data as I described in the rules, and repeat this until my bill reached the limit? @Dharmaraj – berkan Nov 29 '22 at 19:19
  • @berkan if you have a rule on a particular path, they'll keep overwriting the same data right? or are you looking at [limit child nodes](https://extensions.dev/extensions/firebase/rtdb-limit-child-nodes)? – Dharmaraj Nov 29 '22 at 19:20
  • they will keep overwriting same data, okay, if won't affect my total storage. but, what prevents them to put that tiny data forever and load my other limits (download, push, etc.) @Dharmaraj – berkan Nov 29 '22 at 19:28
  • @berkan ingress is free for the databases. This seems like a different question about rate limiting or so. – Dharmaraj Nov 29 '22 at 19:38
  • I wasn't planning to authenticate the user at all and not store any data related to user. if I put rules for couple of documents with `read/write: true`. would it be safe? @Dharmaraj – berkan Nov 29 '22 at 19:48
  • @berkan no, that'll let anyone read/write anything to your database. – Dharmaraj Nov 29 '22 at 19:49
  • lets say there is `foo` object in your db and you want to let everyone can read/write there with rules like certain length. should I use just `true` for read/write? @Dharmaraj – berkan Nov 29 '22 at 20:00