Firebase Realtime Database Security for Private Single-Developer User

0
votes

I have a React app which I developed for my own usage in localhost development mode.

  • The app stores some data to a firebase realtime database which I created just for the project.
  • Has no authentication, since only I use it in development mode.

The rules on the firebase database are the default ones:

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

Thus firebase alerts me to the usual: 'Your security rules are defined as public, so anyone can steal, modify...' - warning.

My understanding is that in this case, the only way someone could get access to my data is if they got hold of information about the firebase instance, such as apiKey, database URL, authDomain. Is this true? (Or is there some other straightforward way people can get access to the data in this case, obviously not talking about hacking my computer/google account, etc.

This data is important to me, so basically I am wondering if my current practice is secure.

PS: I do understand how to set up firebase database security for a 'normal' user app. However, in this particular instance, I believe it is not needed, is this correct?

Thanks very much.

2
firebasefirebase-realtime-databasefirebase-security

2 Answers

0
votes

Anyone who knows the URL to your project can now read, and write your data. They can delete your entire database with a single command. While this may be exactly what you want (which is why Firebase allows it), most applications need more controlled access to their data (which is why you get alerts from Firebase to that effect).

Your best option is to add Firebase Authentication to your app. With that you can ensure that you are indeed the only person using it. Right now your statement about that is an assumption based on your faith in nobody having access to your URL. By implementing authentication, you can actually ensure that you're the only person having access to the data.

This could be as simple as implementing anonymous authentication, which generates an ID for the user without requiring them to provide any credentials. If you then log that ID, you can restrict access to the database to that one user with rules like this:

{
  "rules": {
    ".read": "auth.uid === 'your_uid''",
    ".write": "auth.uid === 'your_uid''" 
  }
}

Even that simple change already makes your database much more secure, as now only that one user can access the data.

I strongly recommend that you spend some time reading more about Firebase's security model and rules, and that you then secure your database. Not only will this get rid of the alert, but (more importantly) it ensures the data is only accessed in ways that you control.

0
votes

Using API key, database URL, auth Domain and etc, your end application makes a connection with the server. In short, all your API keys, database URL, auth Domain and etc are openly available. But this is not a problem until and unless your security rules are in place to protect your data from getting explored. Read more about Security Rules.

There are a few simple steps to protect or secure your data: [These are tips from me]

  1. Use Authentication: This is the easiest way of keeping track of the user and the data the user can access or modify.

Note: Never trust the data coming from the user. You must validation the each and every data coming from the user.

  1. Use of Functions: Functions have a special property - They can bypass the security rules. Remember not to expose all the data to users/open world. You can send the data to the invoked functions and let all the functions handle all the logic. This method is costly from the financial and request/response view.