Firebase Authentication issue

I’m using a realtime database and found the video about rules for that instead here


It’s telling me to do exactly what I’ve been doing as far as rules go. “auth != null” should be working. I technically have about 4 different users that all need read/write access. This rule doesn’t work as it should.

My only thought is that something isn’t set up properly between the app and firebase, but I can’t figure out what. Your “tool” to find the correct ClientID in the JSON file is missing so I whitelisted every clientID I found in there. I added the SHA-1 from both the key stored in Kodular and the one that Google uses to the app (each key created a new client ID and I whitelisted them both). The package name is correct and my rules should be working. My users are listed in the Authentication page and I can see the last time they signed in. I have also made sure the google login is ran each and every time the app starts to make sure I don’t have an expired token or anything.
The only other things I can think of is that each screen uses a different project bucket for organization purposes or this doesn’t work with RTDB. Could either of those be the issue?

Looks like I’m not alone, I have no idea if this user got his issue solved, but it appears to be the same issue.

Got in contact with @Vishwas a few days and after some hard work we get to the bottom of this.
Firebase doesn’t recognize our apps as authenticated even if we make everything right, so in order to make it work we must set the rules to the test environment (open).
He said that have added it to their bug tracker and we probably will get a solution to it in the next update once this is a huge issue and everybody’s data that uses Kodular and Firebase are vulnerable now.

In order to protect your data, I suggest to use obfuscated text block when using your Firebase keys and encode sensitive data before writing on Firebase, it prevents to expose data and the access to your Firebase if your app gets decompiled.
Even if the hacker gets access to your Firebase the content will be encrypted so it gives some extra work to the moron.

Okay, thanks for letting me know. My app is only used internally by about 20 Android tablets that all use the same Google account. It’s not publicly available so I’m not crazy worried. How do I use the obfuscated text when the firebase data is entered into the Kodular creator?

WOW!! THIS IS A HUGE ISSUE!! Even if we encrypt our data it does not stop someone from deleting everything if they do get in, does it?! We should have been made aware of this. @Diego @Vishwas @Hossein

It’s not as big of an issue for me since my app isn’t public… But it’s definitely a HUGE issue for anyone trying to use firebase to store user data this way. All your data is belong to us!

Kinda glad I did my due diligence at work today.

1 Like

Hi
There is no need to worry, your Firebase data hasn’t been compromised. If you use Firebase rules to authenticate users, you’ll occasionally see that some authenticated users are unable to access any data.

Your data isn’t exposed to unauthenticated users if you have your rules set up correctly.

Hi @Vishwas,thanks for the response and HAPPY BDAY!!

I don’t understand. Is there an issue or not? @guilhermemaracaipe said: ‘Firebase doesn’t recognize our apps as authenticated even if we make everything right, so in order to make it work we must set the rules to the test environment (open).’

And as @GaryH has also stated we can’t seem to get access to user data when we set up the rules. What does ‘occasionally’ mean? If I launch the app and 5% of my users can’t get access to their data then it’s a big deal.

What I’ve experienced is that when setting up the rules I’ve not been able to access user data 100% of the times I’ve tried. I’ve followed tutorials as closely as possible to no avail, so i don’t know if this is a component issue or if I’m missing something, the auth tutorial in the docs has an AIA link but it’s broken, at least that way I could test to see if I’m doing something wrong or it’s acctually an issue with Kodular as was stated here.

Please help! Thanks!!!

1 Like

Hi @Vishwas, happy birthday!
Sorry but, when we where testing none of the firebase rules was working, it only works when it was setted to read = true and write = true.
This way our data are exposed indeed.

1 Like

@Vishwas We have followed every step you guys have laid out. It still doesn’t work unless read and write are both set to “true” which opens the database for anyone to access whether they are authenticated or not. If there is a different way we are supposed to be doing this please let us know so that the numerous threads about this same issue can all be resolved.

I hate to be the squeaky wheel, I really do. But, I have employee information in that database. Others probably have user data that they need to keep safe in theirs and if all we can do to access it is set everything true then we (and possibly Kodular) are opening ourselves up to potential issues for not securing the information.
I don’t want to have to move my database. I like the way it is all set up. Just please help us secure it.

In Firebase while setting up an app to use it gives changes that need to be made to the Gradle files. Could this potentially be the issue? When the Firebase Authentication component is used should that trigger these changes to the Gradle files to make Firebase recognize the app?

Can I add Obfuscated text to TinyDB and still pull it elsewhere?

Yes you can

Thanks @guilhermemaracaipe , I’m in the process of obfuscating Webhook Urls and things. if I have the firebase info in the component properties, is that secured too?

Nope, you should leave it blank and set those parameters at Screen Initialize block.

That gave me an error. I have it checking for data changes and I think it tries to check before it assigns the token and URL. I’ll try again tomorrow.

@Vishwas @Diego, @ImranTariq anybody?? We (and so many others) don’t have a response about this, it’s been months of development and now I don’t know if I can continue, can you guys help us understand if this is a bug or if it’s actually possible to set prívate rules in firebase?

@gopayarg btw this community about Kodular, and we are trying to help others about kodular and this issue is about firebase(not related to Kodular), as much i know i tried to help , share and shows you the way, we didnt own firebase, its a Google product, as much you can read their documentation we also knows that only for more you can ask firebase team, only they can help you.

From what my testing has shown, Firebase rules fail to apply on some devices. Why that happens is yet to be ascertained by us. We’re not sure if it’s a problem with Kodular or the libraries we use. We’re still investigating.

Regarding breach of data, what I meant is it’s your call to make your Firebase database publicly readable/writeable. It’s not that all Firebase apps made with Kodular are suddenly breached. You can choose to make your rules public for now, or hold tight till we find a solution.

Hope this helps

2 Likes