Restricting Firebase Read/write Access To Only Myself
Solution 1:
The firebase.initializeApp(config)
does not authenticate you, it merely identifies your project on the Firebase servers. It's the equivalent that you must know your home address to be able to know where to go after work. Knowing the address is a prerequisite, but it is not enough to gain access.
If you want to restrict data access to "just you", that means that you must first identify yourself with Firebase. This you do with Firebase Authentication. For example, to sign in with email+password you'd do:
firebase.auth().signInWithEmailAndPassword(email, password)
Read the documentation for email+password authentication for the full steps.
Once you're authenticated, you get a unique id; a so-called uid
. You can find your uid
in the Auth tab of your Firebase Console.
With this uid
you can control access to the data (both database and storage). So if you copy your uid
from the console and add it to your security rules, only you (or someone who knows your email+password) can access the database:
{"rules":{".read":"auth.uid == 'e836f712-4914-41df-aa80-5ade6b8b7874'",".write":"auth == 'e836f712-4914-41df-aa80-5ade6b8b7874'"}}
Note that I added one of my own uid
s in this snippet. Just like knowing your API key or database URL is not a security risk, neither is knowing my uid
. Knowing that I am Frank van Puffelen, user:209103
on Stack Overflow, does not mean that you can impersonate me.
Solution 2:
The rules in your question would allow any authenticated user to read and write to any key in the database. If you wish, for development purposes, to configure a single user and restrict access to only that user, you could use the following rules:
{"rules":{".read":"auth !== null && auth.uid === '<your-uid>'",".write":"auth !== null && auth.uid === '<your-uid>'"}}
Where <your-uid>
is the User UID for the user with which you wish to sign in - you can find it on the Firebase console under Auth (where you can also create a user, if you have not already done so).
Typically, Firebase would be configured so that users could create accounts and finer-grained rules would be used to give users read and write access to specific parts of the database.
Post a Comment for "Restricting Firebase Read/write Access To Only Myself"