Hi,
The current “recommended” rules for Firebase are:
{
"rules": {
".read": true,
".write": true
}
}
Here is the demo structure I created in Firebase:
The problem with this is, when using Postman for example, I can see all the information in the Database without authentication, for example:
https://demoproj-1-92962.firebaseio.com/top-level.json
Will return all the information in the top level with no authentication
This is a HUGE security and privacy issue, because Thunkable is essentially telling users to open up their data to the world. With client data, or even accounting information present in the Realtime Database, leaving it totally unsecured is not even remotely an option…
But, when you add secure Rules to the Firebase DB, the API key from the Firebase project settings no longer works.
For example:
//only authenticated users can access/write data
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
As this is a low-code / no-code platform, one would expect Thunkable to create even a basic level of Database security documentation for it’s users. At the moment, anyone using Thunkable with their Realtime Database Rules set to:
".read": true,
".write": true
Can have their entire database read by anyone who knows the data structure
So, Thunkable, is there a solution!?