Easy way to secure Firebase Realtime Database with Rules when you have Anonymous Sign In or already deployed project with no rules.
Today I woke to 3–4 bombarding my mail saying all my projects in firebase are insecure! I was like FUDGEeeeeeee.
Firebase very good morning mail is as follows-
This was followed by mails from Higher management in the office to add salt to already wounded soul!
I knew today is not my day! So if you are on Instagram, most probably you would be following @audiphotography and if you know him then I am 100% sure you would be knowing about Glenny Glen, Whiskoo Phiskoo and ever sweet Mother of Dogs :D @Wander_leen, first thing i did when i reached office is to stole her smiley idea and put in on my hand so that i will always keep looking whenever my hands are on keyboard and keep smiling as much as possible. Here’s my smiley hand :)
I heard your mind! ”I don’t want to read this nonsense, just show me the code!” :D
Ok, so here’s the solution —
Disclaimer : Use it at your own risk, this is just a quick fix, not an ideal solution that I came up with, which should work fine for me. Evaluate the same with your project group and then proceed.
My Scenario: All my Firebase project runs with default rules
{
“rules”: {
“.read”:”auth!=null”,
“.write”:”auth!=null”
}
}
And one of the major mistake I have done in all these projects are that I have not saved the Firebase Anonymous User Id anywhere in the Real time database. This is the major issue, so I have to go with an update to secure this database.
If you have also are in same situation as mine then proceed further else if you have saved the id in your database then watch this 43min video The key to Firebase security — Google I/O 2016
My Solution :
What ever data structure you have in your database , this solution works fine with a small change in the app.
First you need to decide on a secret key, for this example i am going with this- 9MHhf68N2T .
Create a node just below the root, with this name
root.child(“9MHhf68N2T”) or you can do it manually “9MHhf68N2T” :”test”
Now everytime user logs into your app, call your signInAnonymous() function and get the user id and save it under this secret node. Check the below structure-
ca3941fb-6802–437b-ac7c-380953401f8c &
fa3941fb-6802–437b-ac7c-380953401f8c are two user id generated by FirebaseSignInAnonymous() method in your app.
This is the only change you need to do from app side. Next we need to update the rules.
Rules :
So if you have a chat application, there is high probability that your structure will have the following main nodes users, group, messages. Your rules should like below-
Let me explain what we are doing here :
Note: Secret Node id is known only to you. No one else knows it, so you should never hardcode it in your app. Save it in .gradle file and read it from there.
buildConfigField("String", "secretcode", "\"9MHhf68N2T\"")
You can access it as BuildConfig.secretcode in your activity or any class.
FirebaseDatabase.getInstance().child(BuildConfig.secretcode).child(YOUR_FIREBASE_ANONYMOUS_ID).setValue(true);"9MHhf68N2T”: {
“$auid”: {
“.read”: false,
“.write”: true
}
},
The above rules says that -
- Only those who know the secret id can add an entry of Anonymous Firebase Id.
- No one can read anything from the secret node.
- No one can delete or manipulate entry of others, unless they know the other id.
"group": { ".read": "root.child('authids').child(auth.uid).val()===true", ".write": "root.child('authids').child(auth.uid).val()===true"}
The above block of rules says-
- Only those users who have Anonymous Id saved under secret node can read from group node.
- Only those users who have Anonymous Id saved under secret node can write to the group node.
Drawback: Keeping secret node key is crucial for this. If in wrong hands then GOD help you.
Let me know what you feel about this solution, and if you find any better way at handling do write it in the comments section. If this was helpful do clap a bit.
As this guy says here — Clapping is good for health, so what you waiting go Clap :D
My new product-
If you want to translate your videos to 75+ languages with just 1-click, visit https://translate.video/?via=akash
Use coupon code — AKASH to get 10% off on all plans. Limited offer.
