Firebase & App Security

Firebase Security Rules 🔐 Basics

App Development 📱 is not Easy. But after doing so much Hard Work 😮‍💨, what if somebody steals 🥷🏻 your User Data? Firebase Security Rules is a Great Mechanism for Securing 🔐 your App. Let’s Explore it Together !!

App Security - Photo by Franck on Unsplash

Note: Find these Texty Articles Boring 😑 ? You can check the same in a more Visual & Attractive format here.

The worst mistake 😫 that you can make while building an App 📱 is deploying it without proper Back - End Security. It can put your User Data at a big risk ⚠️. Anyone with your Firebase Credentials would be able to delete or steal it.

So how to avoid this and protect your app’s data?

Traditionally, if you were using a Custom Backend, you would have to write SQL Rules, Custom Authentication Code & Complex Server Side Scripts to accomplish this.

But with Firebase, it’s easy.

You can protect data by using a Mechanism known as Firebase Security Rules.

Firebase Security Rules are like a Set of Guidelines written in CEL (Common Expression Language) which helps us define who can access what in our Database.

All the requests that go to Firestore are first routed through the Security Rules. It prevents any kind of Data Misuse by Validating each Request against your Rules. Isn’t it just Awesome 🤩 ?

Every request to Firestore is denied by default. So when a request comes in, it looks for the first rule to allow it. Once authorized ✅, it can then perform its desired action.

Now, let’s write some rules !!

1. We start by specifying the version of the rules we are using.

rules_version = '2'; //Latest

2. Then we define the service to use and give the default path to the root of the Firestore Database.

service cloud.firestore {
  match /databases/{database}/documents {
    
    //Some Super Secret Security Code
  
  }
}

Firstore Currently Supports only one Database. Hope it will support many in the Future!

3. Finally, to enforce a rule, we match a path pointing to a Document in the Database & then we can authorize the request by using the allow statement and giving it a boolean condition like this -

match /collection/document {
  allow <what>: <condition>;
}

The Basic Actions that we can allow are Read and Write. But if you want finer control over the Actions, you can use Get, List, Create, Update & Delete.

A Read Action is a Combination of Get (Single Document) and List (Query). The Write Action on the other hand combines Create, Update & Delete.

For writing the Conditions, we use the if statements, like in any other programming language. The basic operators like == (equal to) != (not equal to) and && (and logical operator) are valid here too. The Firebase Security Rules Environment also provides us with the request object which has Incoming data from the Fronted app like the Auth Info, Details about the Document being affected, Server Time, etc.

Applying Rules on a Collection

What we have learned above can be used to secure individual documents. So how to secure a Collection? Simple, wrap the Document ID in Curly Braces to make it a variable !! Now the rule will be applied to every document in that collection.

Let's try to enforce the same rule on every document in the Users Collection.

match /users/{userId} {
  allow read: if request.auth != null;
  allow write: if request.auth != null && request.auth.uid == userId;
}

Here, a user can see anyone’s profile if he is logged in. But he can only write to the document that he owns.

Some More Tips

• You can Simulate Mock Requests in the Firebase Rules Playground to Test your Security Rules.
• You can Time Travel and Switch to any previous version of the Rules that you have deployed.
• You can use Custom Functions to reduce Code Duplication for repetitive conditions like, “is the user signed in?”

Although there is much more in order to write Production Grade Rules, you still learned the basics of Firebase Security Rules 🤩.Thanks a lot for your precious time. If you liked it, be sure to Follow FlutterFever. See you in the next Article!

FlutterFever is an Immersive Environment for High-Quality Flutter Tutorials, Resources, Tips & Tricks to Build, Deploy and Market Beautiful and Performant Flutter Apps Effortlessly. Find more about it here.