Firebase Authentication issue

So yours is
“.read”: “true”,
“.write”: “false”

I have to write to mine… but if you have it set up as above, you are still in test mode.

Ya but security is must na @GaryH

I’m not sure what you mean by this. Are you not concerned with security? Firebase Authentication isn’t necessary if you leave your database that way because the database itself isn’t checking for authenticated users. The rules to check would read as “.read”: “Auth != null” and that will give you a permission denied error.

Let me simplify for your better understanding…

(1) Read : True;
Write : True;
The above rules is not secure. Why? Because anyone having your Bucket IDs will be able to Write anything in your database.

(2) Read : True;
Write : False;
This means, anyone having bucket id will be able to read data from your database, but would not able to write on it.

(3) Read : False;
Write : False;
Above rule is secure. But in that case, you will not be able to show (in fact call) data.

1 Like

Thanks @asimjib93
I am really confused what actually he asking…

Exactly. Authenticating a user is supposed to allow you to write rules in a way to secure your database, but the only rule that works right now is leaving read or write as “true”.

“auth != null” should only allow an authenticated user to perform that function (whether it’s read or write) and not allow just anyone to read/write to your database. It’s not super secure, but better that leaving the door open for anyone to snoop around and edit your database.

The databases we’re using on AI2 are not exactly made to use in the way we’re currently using it. So yes, you’ve to compromise.

But by providing the Firebase Authentication component it gives the developer a false sense of security regarding their data since it’s not really possible to use that authentication is any meaningful way regarding securing the data.

Yeah, @asimjib93 @Alapjeet I was talking about setting up actual database rules, like the ones in the Kodular tutorials, they are not working.

2 Likes

Any more information on this? My app is going to be used heavily starting in about 3 weeks and I would love to be able to apply rules to my database.

1 Like

This might help:

1 Like

I’m trying to work through this. there are a few blocks that aren’t there like the JsonObjectEncode block in the web component. I’m trying to work around that.

For the jsonObjectEncode try:

blocks (27)

instead

1 Like

Thanks. Can someone look into implementing this into the FB component so we don’t have to rebuild all of our firebase functionality? My app relies on firebase quite a bit and I’m using the when firebase data changes blocks on most of my pages.

My post does indicate an extension that will do this…

I saw that paid one. I was hoping that since the auth component was not functional with the firebase component as is, someone would work on correcting that issue instead of forcing us to pay for an extension to do what should be done already.

Since that extension hasn’t been tested as a solution for this issue, I’m warry about paying the money to test it out. Looking at the post, it looks like it is using the standard firebase component to actually store and get info which concerns me since that is what isn’t passing the authorization token and causes errors.

No-one is forcing you to do anything!

The old saying - “time is money” :wink:

If you have to time to use my “free” solution, then you can do it for free. But for $5 you can save yourself a lot of time. We have no God given right to expect all these things to come for free…

Then the firebase auth component should come with a disclaimer that it actually doesn’t do anything or should be removed because it doesn’t communicate with the firebase DB component and can’t be used in any meaningful way. The paid extension may not even function since this same question has been asked there with no response. I may be forced to use your REST API method in order to keep my information safe.

As a developer, I have a responsibility to make sure my software functions as advertised. I don’t feel that the firebase authorization component does in its current state and because the users haven’t been made aware it could open them up to user data theft. Asking for the developers to fix an obvious bug isn’t expecting anything above the functionality that it’s supposed to provide. Maybe the firebase component should change to using the REST API by default that way Authentication tokens and database rules can be used properly.

I think you need this app:

The Firebase Auth extension and components do what they say in the tin, allow users to authenticate with Firebase. Yes, it would have helped to have the idToken pass-through included.

Oh, and you are welcome :+1: