Home Firebase anonymous login security
Reply: 1

Firebase anonymous login security

Vebjørn Isaksen
Vebjørn Isaksen Published in 2017-07-16 19:11:10Z

I have a web app which writes data when a visitor submit a form and read data whenever that form is submitted. Everyone can read the data, but to write the data I use the firebase anonymous login option whenever the users click the submit button.

In my firebase database rules I have set the write to "auth != null" because there is no users, but I still want to secure the data.

Why can't anyone just find my config file in the browsers developer tools and create an app which uses that config file and anonymous login and abuse my data? And if they can, how do I ensure that my data stays secure?

bojeil Reply to 2017-07-17 07:53:30Z

They can create a different user and modify that user's data which is fine. However they won't be able to get hold of that anonymous user's data. You can ensure that only that specific user (identified by the unique user id) can access his/her own data by setting the following rule. Each anonymous user has a unique uid: { "rules": { "users": { "$user_id": { // grants write access to the owner of this user account // whose uid must exactly match the key ($user_id) ".write": "$user_id === auth.uid", // You can do the same for reads. ".read": "$user_id === auth.uid" } } } } Check the docs for more on this: https://firebase.google.com/docs/database/security/user-security

This protects that a user signed in into your real app, anonymously, will not have their data accessed externally by some phishing app.

However, you can't protect against someone using your API key and signing up anonymous users. If you want a more secure sign-in mechanism, you can look into the OAuth providers or phone sign-in which have origin verification mechanisms.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.329918 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO