firebase realtime update security rules without auth
I am not advising this strategy but the question states
in my case it's useless authenticate the users
and
a list that needs to be shared with everyone, and everyone could read
and write this list
If that's the case and you want your database to be wide open where anyone can read and write, here's the answer
{
"rules": {
".read": true,
".write": true
}
}
Again, not recommended for any use case but it'll do the trick.
This can sometimes be useful when you are just getting started and want to read and write some data and not worry about authentication.
How Can I Secure the Firebase Realtime database without Authenticating (Login/Register) the user?
If you want to secure data access without requiring the user to sign in with their credentials, consider using Firebase's anonymous authentication. With this provider, you can sign in a user with just this single line of code:
FirebaseAuth.getInstance().signInAnonymously();
After running this you won't know any details of the users yet. But you can now identify the user in any calls to the database, and then use the information in the security rules of your database, to ensure the user only has access to the data they're authorized for.
For an example of this, see the documentation on leveraging user information in security rules, which contains this example:
For example, your app may want to make sure users can only read and write their own data. In this scenario, you would want a match between the
auth.uidvariable and the user ID on the requested data:
{
"rules": {
"users": {
"$userId": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($userId)
".write": "$userId === auth.uid"
}
}
}
}
To learn more about that, I recommend reading the full documentation on securing data access.
Firebase Rules for Realtime Database Without Using Firebase Authentication
Note: To my knowledge, it's not possible to use your custom authentication system directly within Firebase.
Assumption: You have an authentication server which Firebase Admin SDK (can be/has already been) integrated.
You need to create custom tokens in order to use your authentication within the Database/Storage:
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Once authenticated, this identity will be used when accessing other
Firebase services, such as the Firebase Realtime Database and Cloud
Storage. Furthermore, the contents of the JWT will be available in the
auth object in your Firebase Realtime Database Security Rules and the
request.auth object in your Cloud Storage Security Rules.
Omitting Java and Python from the upper link
In server:
// Step 1: Your client has sent the credentials.
// Step 2: Fetch the client's unique id, and create a custom token with the Admin SDK.
var uid = "some-uid";
admin.auth().createCustomToken(uid)
.then(function(customToken) {
// Send token back to client
})
.catch(function(error) {
console.log("Error creating custom token:", error);
});
Then in iOS part:
// Step 1: Login with your own authentication system.
// Step 2: Send your credentials to your server, and fetch the customToken.
// Step 3: Sign in with FIRAuth:
[[FIRAuth auth] signInWithCustomToken:customToken
completion:^(FIRUser *_Nullable user, NSError *_Nullable error) {
// ...
}];
authentication with firebase Realtime Database without user
To allow only your web site to read, and only your backend to write, you'll want to combine security rules with Firebase App Check.
Security rules
First in security rules, you'll do:
{
"rules": {
".read": true,
".write": false
}
}
This allows everyone to read your entire database (we'll limit it to your app later), and allows nobody with a client-side SDK to write to it.
I strongly recommend adding some additional logic in the rules to limit how people can read the data though. For example, if your code first reads a list of users, and then shows the posts from a selected user, modify your rules to only allow that specific path, and reject anything else.
App Check
Now with the rules in place, you'll want to start using App Check to reduce the abuse you get from people taking your configuration data and calling the API on their own.
App Check is no guarantee that this can't happen anymore (especially on web), but it definitely increases the work a malicious user has to do.
Firebase Security Rules Without Firebase Authentication
I ended up using a system where a vendor calls one of my APIs (protected by my own internal authorization system) that returns a token that the user can use to authenticate with Firebase.
I use PHP and there is a token generator written by the Firebase team here. Don't forget the JWT PHP library this token generator relies on.
The token generator takes what is called a Firebase secret (you can find this in your particular Firebase instance page) passed into its class constructor and returns a random token based on this secret.
Related Topics
Ionic2 Background Image Is Resized When Keyboard Is Open
Mysterious Stacktrace in Android Developer Console (Bitmap Size Exceeds 32Bits)
Android Stock Browser Not Respecting CSS Overflow
How to Paging Query from Firebase Using Android Firebaseui
How to Parse JSON Array Without Any Object in Retrofit
Android Emulator Failed to Allocate Memory 8
How to Create a Date and Time Picker in Android
Android, Asynctask, Check Status
Android in Navigation Drawer When I Click Anywhere Drawer Closes
Input Field Hidden When Soft Keyboard Appears in Phonegap
Flutter: Upgrade The Version Code for Play Store
Eclipse Can't Find Android.Support.V4.Widget.Swiperefreshlayout
Android Webview Hardware Acceleration Artefact Workarounds
Picture Taken with Camera Intent Is Low Quality on Imageview (7.0+)
Why Did The Listview Repeated Every 6Th Item
How to Show a Preview of a Recyclerview's Contents in The Android Studio Editor
How to Create Custom Spinner Like Border Around The Spinner with Down Triangle on The Right Side