3

I have a web app which writes data when a visitor submit a form and read data whenever that form is submitted. Everyone can read the data, but to write the data I use the firebase anonymous login option whenever the users click the submit button.

In my firebase database rules I have set the write to "auth != null" because there is no users, but I still want to secure the data.

Why can't anyone just find my config file in the browsers developer tools and create an app which uses that config file and anonymous login and abuse my data? And if they can, how do I ensure that my data stays secure?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Vebjørn Isaksen
  • 33
  • 3
  • if you set "auth != null" to write in the rules no one except the conected users can write data but if you have some doubts you can use the firebase rule Simulator to test your rules. – Bruno Ferreira Jul 16 '17 at 19:35
  • Sure, but why can't anyone just find my config file and use that to connect to my database, use anonymous login and abuse my data? – Vebjørn Isaksen Jul 16 '17 at 19:46
  • Find your config its possible because config is inside a javascript file, but you can turn hard to do this, just minify the javascript file. – Bruno Ferreira Jul 16 '17 at 19:51
  • 2
    Obfuscating the configuration data is not the solution here. In fact, any user can find the URL of the Firebase Database by going to the network tab of their browser's dev tools. The configuration data is necessary to use Firebase services, it is not a security measure. See my answer here about [whether it's safe to expose the API key](https://stackoverflow.com/a/37484053/209103). To ensure specific users can only access the data they are authorized for, read the [ User Based Security](https://firebase.google.com/docs/database/security/user-security) section of the Firebase documentation. – Frank van Puffelen Jul 16 '17 at 20:29
  • When using "auth != null" on the write rule and anonymous login, can someone create an app using my config file and change my data? That is my question. – Vebjørn Isaksen Jul 16 '17 at 21:01

1 Answers1

0

They can create a different user and modify that user's data which is fine. However they won't be able to get hold of that anonymous user's data. You can ensure that only that specific user (identified by the unique user id) can access his/her own data by setting the following rule. Each anonymous user has a unique uid: { "rules": { "users": { "$user_id": { // grants write access to the owner of this user account // whose uid must exactly match the key ($user_id) ".write": "$user_id === auth.uid", // You can do the same for reads. ".read": "$user_id === auth.uid" } } } } Check the docs for more on this: https://firebase.google.com/docs/database/security/user-security

This protects that a user signed in into your real app, anonymously, will not have their data accessed externally by some phishing app.

However, you can't protect against someone using your API key and signing up anonymous users. If you want a more secure sign-in mechanism, you can look into the OAuth providers or phone sign-in which have origin verification mechanisms.

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • Cool thanks. The thing is that when the users hit the submit button they should send the data to a global store. When I retrieve the data I want all the data that the users has sent by hitting the submit button. In other words, there is no user data, only some checkin and checkout dates that I need to store. What can I do then? – Vebjørn Isaksen Jul 17 '17 at 17:56
  • Hmm, I see. This is hard to secure with just anonymous users. You could have an offline script that picks up user specific data protected using specified rule above for each user and modifies it in your global store but that won't protect against phishing apps from signing in users that would affect this data. I think if this data is critical/sensitive, you should probably use a more secure mechanism of authentication. Otherwise you may have to accept the risks. – bojeil Jul 17 '17 at 20:53