Reputation: 1
How to setup Firebase security rules to accept connections only from an iOS App
I want to configure a Firebase database so that it only accepts connections from my iOS App.
I have no problem in configuring rules to manage access from authenticated users, etc..., but i want to know what is the best approach to prevent connections from other Apps than mine.
How can i do that?
To be more concrete to the user case. My App is a service and the users can register to use it authenticating with twitter and Facebook. Users will pay for the service, and the App will use Firebase as the backend, and that means that i will pay for the Firebase service. Users pay me, and i pay Firebase. So that is the reason that i only want that my App is the only one that connects and uses the Firebase database. And i think this is the common case out there. Other backend services as Parse, allow you to do this by using a secret key when the App connects.
Upvotes: 0
Views: 1481
Answers (1)
Reputation: 40582
If I understand the question correctly, the criteria are as follows:
- You offer a purchasable app that provides access to premium data
- Only paid customers should be able to read that data
- It is possible for users to log in with FirebaseSimpleLogin without downloading your app
- You would like to prevent this
Assuming all of this is correct, I see two quick answers:
Create your own auth tokens
Since FirebaseSimpleLogin is available from in the cloud, you won't be able to prevent users from authenticating based on device. But FirebaseSimpleLogin is just a wrapper on the token generator, so nothing stops you from generating your own.
#!/usr/bin/env node
var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);
if( validateUserIsFromiOSApp() ) {
var token = tokenGenerator.createToken({id: userId});
}
function validateUserIsFromiOSApp() { /* ??? */ }
Now one can simply turn off simple login and users will have no way to authenticate without first obtaining a valid token from your service. Security rules here are proprietary, but would contain something like this:
".read": "auth.uid !== null"
With some creativity, depending on the use case for requiring twitter/facebook auth, you might be able to bypass the entire auth process by simply having the app request a token when it registers and never forcing the user to authenticate at all.
Using some meta data in conjunction with simple login
Of course, simple login is by definition simple, and does not require a server process. You could utilize this by storing information about which users have purchased your app:
- user purchases app from store
- during receipt of transaction, you store user id and purchase record in Firebase
- use simple login auth as normal
- add a security rule to ensure user has purchased the app
The security rule would look something like this:
".read": "root.child('purchase_receipts/'+auth.uid).exists()"
Additional reading:
Upvotes: 4
Related Questions
- How to allow only my app to access firebase without a login?
- Why is the firebase security rules not working?
- Firebase Auth only for devices using my app
- Restrict Firebase authentication to a certain domain
- Different firebase security rules for different apps
- Firebase security rules, How to authenticate client app, not the users?
- How to allow iOS app to directly access Firebase database and bypass rules?
- Firebase security and rules
- Auth Rules in Firebase
- How to set up IP/domain-wise security rules in Firebase?