Home > Blockchain >  authentication with firebase Realtime Database without user
authentication with firebase Realtime Database without user

Time:09-24

I have a firebase realtime database with read/write to all, however I don't have any user and don't intend to auth user. The data is written by a event listener and scheduler(java), my html ui application supposed to read data only.

How should I do to secure my db?

With development(unsecure) mode, I can use any http client to write/read data? How do I pass authentication after I secure it?

CodePudding user response:

To allow only your web site to read, and only your backend to write, you'll want to combine security rules with Firebase App Check.

Security rules

First in security rules, you'll do:

{
  "rules": {
    ".read": true,
    ".write": false
  }
}

This allows everyone to read your entire database (we'll limit it to your app later), and allows nobody with a client-side SDK to write to it.

I strongly recommend adding some additional logic in the rules to limit how people can read the data though. For example, if your code first reads a list of users, and then shows the posts from a selected user, modify your rules to only allow that specific path, and reject anything else.

App Check

Now with the rules in place, you'll want to start using App Check to reduce the abuse you get from people taking your configuration data and calling the API on their own.

App Check is no guarantee that this can't happen anymore (especially on web), but it definitely increases the work a malicious user has to do.

Page link:https//www.codepudding.com/Blockchain/125695.html

Prev:Firebase phone authentication without waiting for verification code
Next:Show specific fields in related entities in choicetype Symfony 5
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding