Firebase Security Settings and Blocks

Hello first of all!

Today I’m going to show you how to protect your Database in Firebase.

I did quite a bit of research on this a few months ago. I’m publishing a short tutorial so that you don’t get tired like me. :smiley:

STEP 1: Set your database rules. (If you are using the auth component in your application you can do it like me.)

{
  "rules": {
    ".read" : "auth.uid != null",
    ".write" : "auth.uid != null",
  }
}

STEP 2: Go to Project Settings.

STEP 3: Go to Service Accounts.

STEP 4: View Database Secrets.

STEP 5: Click “Show” and copy the secret code.

STEP 6: Put your secret code on firebase database.

OR

(safe way)

STEP 7 (Final Step): Add a clock sensor to the screen and refresh your database every 100 milliseconds. If you wish, you can also put the “Get id token” block on Screen Initialize or every time you retrieve data, but it is easier to do with Clock.

resim

resim

OR

resim
resim

That’s all I’m going to say. :heart: If you have any questions, you can write. Don’t forget to like if you found it useful. :slight_smile:

4 Likes

So what will happen due to this setup?

if you do this people won’t be able to access your database. Of course, that doesn’t mean it’s 100% safe. hackable but safe.

if you don’t (if set the rules to true, true.) people can access it.

1 Like

If you set rules auth uid then it won’t be readable also… .json will work untill firebase is not protected ( which mean read and write rule if set it as true)

no, firebase secret code comes into play here. Data reading and writing requests from the application are accepted thanks to that code. you can try and see. :slightly_smiling_face:

I set read value as auth.uid!=null,

See I am unable to read but if I set it as true easily able to read it

The rules are not so important, everyone can adjust it according to himself. The important thing is that with the secret code, the application can read and write regardless of the rules. :smile:

I don’t think so this is correct… can you show any screenshot for your statement???

I strongly believe that firebase works based on read and write rules.

Firebase rules is already available in Kodular docs

If you set your rules “read = true, write = true” then everyone has access to your database… like if you make one app and added firebase database with same rules then I can easily store or get any value from your database

But if you use “auth.uid != null” then only the users who logined in your app can have access

There are more rules like user can only access there data’s only etc. Checkout Kodular docs for more rules

Using Firebase security rules, no matter if your app is vulnerable to hackers, your data is always safe with Firebase. However, I recommend you to use custom claims as well for your token. Like if you are an admin, you can set a custom claim in your token like “admin: true” and then you can set Firebase security rules to allow access to the Admin resource only if there’s admin: true claim in the token.

You can then use this rule to check: auth.uid !== null && auth.token.admin === true in your security rules.

1 Like