Hi,
I want to make an app that interacts with some hardware via a webapi but I need it to be secure via authentification, so my question is:
With:
It is a really insecure way to store data right? because I imagine someone decompiling the apk of my app and replacing the user id will be able to access the stored data. So this is my question:
Is there is any way to enforce more strict rules on Firebase in such a way that the userId part of the Save/Get query to the DB is handled by the server?
Hi,
For more reliable work, you need to provide different users with different roles. Roles can be granted based on their identifier. I think that your question is more suitable for discussion on the Firebase forum, but, perhaps, someone here can give a more complete answer than mine.
Hello,
I’m creating an app with 2 steps SMS verification, can I secure firebase data without using email logins?
OMG, do I have to write something like this!??! 
{
“rules”: {
“room_names”: {
// any logged in user can get a list of room names
“.read”: “auth !== null”,
"$room_id": {
// this is just for documenting the structure of rooms, since
// they are read-only and no write rule allows this to be set
".validate": "newData.isString()"
}
},
"members": {
// I can join or leave any room (otherwise it would be a boring demo)
// I can have a different name in each room just for fun
"$room_id": {
// any member can read the list of member names
".read": "data.child(auth.uid).exists()",
// room must already exist to add a member
".validate": "root.child('room_names/'+$room_id).exists()",
"$user_id": {
".write": "auth.uid === $user_id",
".validate": "newData.isString() && newData.val().length > 0 && newData.val().length < 20"
}
}
},
"messages": {
"$room_id": {
// the list of messages for a room can be read by any member
".read": "root.child('members/'+$room_id+'/'+auth.uid).exists()",
// room we want to write a message to must be valid
".validate": "root.child('room_names/'+$room_id).exists()",
"$message_id": {
// a new message can be created if it does not exist, but it
// cannot be modified or deleted
// any member of a room can write a new message
".write": "root.child('members/'+$room_id+'/'+auth.uid).exists() && !data.exists() && newData.exists()",
// the room attribute must be a valid key in room_names/ (the room must exist)
// the object to write must have a name, message, and timestamp
".validate": "newData.hasChildren(['user', 'message', 'timestamp'])",
// the message must be written by logged in user
"user": {
".validate": "newData.val() === auth.uid"
},
// the message must be longer than 0 chars and less than 50
"message": { ".validate": "newData.isString() && newData.val().length > 0 && newData.val().length < 50" },
// messages cannot be added in the past or the future
// clients should use firebase.database.ServerValue.TIMESTAMP
// to ensure accurate timestamps
"timestamp": { ".validate": "newData.val() <= now" },
// no other fields can be included in a message
"$other": { ".validate": false }
}
}
}
}
}
This is something I really need to do. I am currently developing a private chat app with Firebase, and the rules for now are read and write true for absolutely anyone. I have the app working great. So I too, need help with something like this.
I have users password kept safe by using Firebase Auth, but I keep a copy of their email and username under one tag, which I don’t want randomers except the user themselves, gaining access to.
Did you solve this?
Cause I think I understood it, I found few good youtube videos that explain it in a nice understandable way.
Let me know
I think with what I am doing I can use Airtable, although Firebase seems better. Airtable would work and I haven’t seen any warning messages for security. Just means I have to re work my entire app.
I don’t know what airtable is, what is it?
RIght now I’m fighting with firebase rules, the big picture works but a more specific security stops it from working
Airtable is like spreadsheets or Microsoft Excel. The only difference is that it is cloud base and you can pull specific data from it, or add to it!
You can read more about integrating Airtable in your project via the Thunkable Docs.
I came to this but it doesn’t work:
{
“rules”: {
“users”: {
“$user_id”: {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
“.write”: “$user_id === auth.uid”
“.read”: same
}
}
}
}
but it doesn’t work, the app doen’t let the user register nor login
It works if the rules are set on “.write”: “$user_id === auth.uid”
“.read”: same
but I need more security than that.
Do you have any news?
I’ve come to this but it still works strange
{
“rules”: {
“Clienti”: {
“.read”: “auth != null”,
“.write”: “auth != null”
}
“ListaClienti”: {
“.read”: true,
“.write”: “auth != null”
}
“Clienti”: {
“$userId”: {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($userId)
“.read”: “$userId === auth.uid”,
“.write”: “$userId === auth.uid”
}
}
}
}