I've created an app, which uses the Firebase Realtime Database. I have a pretty big problem with the security rules. My users don't need to login use the app, they can send the data to the database without any authentication. For example: it's a simple game, they can play with each other, then they can save the scores. I would like to create a secure database, but anyone can write & read it. What is the best solution? Anonymous authentication?
2 Answers
1
votes
If you don't secure your database, anyone can write any score.
Worse, anyone can write their own app to use your database, and you'll then end up paying for it. If you don't want this, write rules that only allow the exact interaction that is valid for your app.
If you don't want to require (even anonymous) authentication, at the very least write validation rules that ensure the data that is written follows the business rules of your app and code. That at least makes it less interesting for others to abuse your database for their own purposes.
1
votes
Anonymous auth is better than no auth at all. But you will need to take care to write rules that allow each user appropriate access to whatever parts of the database they should have access to. Simply allowing all anonymously auth'd users to read and write everything is still not really "secure" at all.
