How to deploy a firebase app without authentication?

0
votes

I have a firebase app/game which does not require any authentication. My plan is that anyone should be able to open the website or the mobile app and start playing directly. I don't need to record any user ids. Firebase keeps emailing me

We've detected the following issue(s) with your security rules: any user can read your entire database any user can write to your entire database

Because your project does not have strong security rules, anyone can access your entire database. Attackers can steal, modify, or delete your data, and they can drive up your bill.

My concern is, are there any work around for this? Is it not normal to have an app without authentication?

2
angularfirebasefirebase-authenticationfirebase-security

2 Answers

0
votes

You should anyway activate anonymous authentication which would allow to define basic security rules and limit CRUD access to data based on user id.

This is the way.

0
votes

Is it not normal to have an app without authentication?

It is not normal to skip use of authentication for apps released to the public. The email is trying to warn that bad things can happen if you do this, and those bad things will be easy to execute for an attacker.

If you do actually intend to publish something publicly writable, at least write your rules to constrain the public write access to a specific collection, and be clear in your rules exactly what kinds of writes are allowed. Don't leave the entire database open, else it's extremely easy for someone to cause you significant problems.

It's up to you to decide if you want public write access, but you need to be aware of the risk. If something happens and an attacker runs up a bill, you will be on the hook for any costs involved.