Firebase Security Settings and Blocks

Guides
#1

Hello first of all!

Today I’m going to show you how to protect your Database in Firebase.

I did quite a bit of research on this a few months ago. I’m publishing a short tutorial so that you don’t get tired like me. :smiley:

STEP 1: Set your database rules. (If you are using the auth component in your application you can do it like me.)

resim
resim799×509 17.4 KB 

{
  "rules": {
    ".read" : "auth.uid != null",
    ".write" : "auth.uid != null",
  }
}

STEP 2: Go to Project Settings.

resim
resim1068×611 75.3 KB

STEP 3: Go to Service Accounts.

resim
resim1399×245 15.4 KB

STEP 4: View Database Secrets.

resim
resim1445×606 50.2 KB

STEP 5: Click “Show” and copy the secret code.

resim
resim1482×706 52.8 KB

STEP 6: Put your secret code on firebase database.

resim
resim751×799 49.7 KB

OR

resim
resim705×227 18.4 KB
(safe way)

STEP 7 (Final Step): Add a clock sensor to the screen and refresh your database every 100 milliseconds. If you wish, you can also put the “Get id token” block on Screen Initialize or every time you retrieve data, but it is easier to do with Clock.

resim

resim

OR

resim
resim

That’s all I’m going to say. :heart: If you have any questions, you can write. Don’t forget to like if you found it useful. :slight_smile:

4 Likes
#2

So what will happen due to this setup?

#3

if you do this people won’t be able to access your database. Of course, that doesn’t mean it’s 100% safe. hackable but safe.

resim
resim812×265 7.32 KB

if you don’t (if set the rules to true, true.) people can access it.

resim
resim1038×324 11 KB

2 Likes
#4

If you set rules auth uid then it won’t be readable also… .json will work untill firebase is not protected ( which mean read and write rule if set it as true)

#5

no, firebase secret code comes into play here. Data reading and writing requests from the application are accepted thanks to that code. you can try and see. :slightly_smiling_face:

#6

I set read value as auth.uid!=null,

See I am unable to read but if I set it as true easily able to read it

Screenshot_2022-10-15-22-38-41-74
Screenshot_2022-10-15-22-38-41-74720×718 84.1 KB

Screenshot_2022-10-15-22-38-21-42
Screenshot_2022-10-15-22-38-21-42720×354 25 KB

Screenshot_2022-10-15-22-37-02-23
Screenshot_2022-10-15-22-37-02-23720×1520 146 KB

Screenshot_2022-10-15-22-36-51-16
Screenshot_2022-10-15-22-36-51-16720×368 31.6 KB

#7

The rules are not so important, everyone can adjust it according to himself. The important thing is that with the secret code, the application can read and write regardless of the rules. :smile:

1 Like
#8

I don’t think so this is correct… can you show any screenshot for your statement???

I strongly believe that firebase works based on read and write rules.

#9

Firebase rules is already available in Kodular docs

#10

If you set your rules “read = true, write = true” then everyone has access to your database… like if you make one app and added firebase database with same rules then I can easily store or get any value from your database

But if you use “auth.uid != null” then only the users who logined in your app can have access

There are more rules like user can only access there data’s only etc. Checkout Kodular docs for more rules

#11

Using Firebase security rules, no matter if your app is vulnerable to hackers, your data is always safe with Firebase. However, I recommend you to use custom claims as well for your token. Like if you are an admin, you can set a custom claim in your token like “admin: true” and then you can set Firebase security rules to allow access to the Admin resource only if there’s admin: true claim in the token.

You can then use this rule to check: auth.uid !== null && auth.token.admin === true in your security rules.

1 Like
#12

Only Firebase rules need to be configured, putting “a secret code” won’t help anything, I’ve been working with Firebase for years and it’s always been like this. Your post just confuses