Firebase security rules confusion

0
votes

I have a flutter app which uses pdf files and video files. I have put these files in firebase storage and I put the url of these files in database collections to use them in my app. I do not want any email and password authentication on my app. Are my pdf and video files secure? Can anybody access them or obtain them? This is my rules for database:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write;
    }
  }
}

This is my rules for firebase storage :

service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write;
    }
  }
}
2
firebaseflutterfirebase-authenticationfirebase-security
Hmm.. I think he builds the app for his own usage, right?Angus Tay

2 Answers

2
votes

Your rules allows anybody to read, modify or delete your files, so not, your files are not safe at all. If you want your files to be safe, you must consider implement some kind of authentication and set the appropriate rules to only you or certain group of users be able to access your files.

You can read more about setting rules in the Firebase documentation.

2
votes

If you don't want to ask your users to enter credentials, but still want a modicum of security, consider using Firebase's anonymous authentication provider. From the documentation:

You can use Firebase Authentication to create and use temporary anonymous accounts to authenticate with Firebase. These temporary anonymous accounts can be used to allow users who haven't yet signed up to your app to work with data protected by security rules. If an anonymous user decides to sign up to your app, you can link their sign-in credentials to the anonymous account so that they can continue to work with their protected data in future sessions.

Of course if you don't want to associate your files or data with a specific user, then anonymous auth is also pretty meaningless. But at that point you're indeed looking to allow pure unauthenticated public access. This may be a fine option too, as long as you realize that your project will be charged for any reads/writes by any users.

If you want any users, without identifying them or providing credentials, to be able to read the data/files, but not write any data/files of their own, you're looking for read-only rules:

allow read; if true;
allow write: if false;

Or shorter, but less explicit to read:

allow read