Firebase Rules for Realtime Database Without Using Firebase Authentication

2
votes

I'm pretty new with Firebase Service, but I've already completed code for my iOS app which is responsible for Firebase Realtime Database Interaction.

Now I want to make my app secured and protect it with Firebase Rules. There is a problem that I'm using my own authentication for users and therefore I don't use Firebase Auth.

So the question is how can I secure my database using Firebase Rules and without Firebase Auth.

2
iosobjective-cswiftfirebasefirebase-realtime-database
You can't use security rules based on the currently authenticated user without also using Firebase Authentication. - Doug Stevenson
If you open the project for the firebase console then you can go over to the Database section and set the firebase rules from there (you'll see a tab called "rules") - Kitanga Nday

2 Answers

3
votes

Note: To my knowledge, it's not possible to use your custom authentication system directly within Firebase.

Assumption: You have an authentication server which Firebase Admin SDK (can be/has already been) integrated.

You need to create custom tokens in order to use your authentication within the Database/Storage:

https://firebase.google.com/docs/auth/admin/create-custom-tokens

Once authenticated, this identity will be used when accessing other Firebase services, such as the Firebase Realtime Database and Cloud Storage. Furthermore, the contents of the JWT will be available in the auth object in your Firebase Realtime Database Security Rules and the request.auth object in your Cloud Storage Security Rules.

Omitting Java and Python from the upper link

In server:

// Step 1: Your client has sent the credentials.
// Step 2: Fetch the client's unique id, and create a custom token with the Admin SDK.

var uid = "some-uid"; 

admin.auth().createCustomToken(uid)
  .then(function(customToken) {
    // Send token back to client
  })
  .catch(function(error) {
    console.log("Error creating custom token:", error);
  });

Then in iOS part:

// Step 1: Login with your own authentication system.
// Step 2: Send your credentials to your server, and fetch the customToken.
// Step 3: Sign in with FIRAuth:

[[FIRAuth auth] signInWithCustomToken:customToken
                           completion:^(FIRUser *_Nullable user, NSError *_Nullable error) {
  // ...
}];
3
votes

As Stevenson said , you cant use security rules without firebase authentication.

To use firebase authentication, please follow steps below

You can get firebase token from server along with your own auth token , then you can use custom token authentication api (https://firebase.google.com/docs/auth/ios/custom-auth) to authenticate with firebase

  1. To know about custom token generation on server side , follow this, https://firebase.google.com/docs/auth/admin/create-custom-tokens
  2. One common pattern for storing user data in the Realtime Database is to store all of your users in a single users node whose children are the uid values for every user. If you wanted to restrict access to this data such that only the logged-in user can see their own data, your rules would look something like this:

Example:

{
      "rules": {
            "users": {
              "$uid": {
                ".read":  "auth != null && auth.uid == $uid",
                ".write": "auth != null && auth.uid == $uid"
              }
            }
          }
 }

Here auth is authorization object.uid is the unique token(user id for above case) which you send from custom token generation on server side.For more details, please check firebase documentation on user security.