CODEWITHSUNDEEP
firebasefirebase-realtime-databasefirebase-security
chitzui
chitzui

Reputation: 4098

Isn’t it possible for anyone to manipulate my Firebase Database?

Just wondering… Since the initialization of Firebase is public in a script tag:

<script>
  // Initialize Firebase
  var config = {
    apiKey: "key",
    authDomain: "domain",
    databaseURL: "url",
    storageBucket: "bucket",
    messagingSenderId: "id"
  };
  firebase.initializeApp(config);
</script>

isn’t it theoretically possible, with this information, anyone to manipulate the database?

Upvotes: 0

Views: 373

Answers (2)

devprashant
devprashant

Reputation: 1293

It depends on how you set the permissions (realtime database rules language) of read and write data to a node in firebase database.

Sample Application Scenario :

Firebase Database Rules Design:

  • Suppose a node (aka "parent") in which every user has the permission to create a child after auth.

    {
  "rules": {
    "parent":
        ".read": true,
        ".write": "auth != null"
  }
}

Firebase Database operations:

  1. User 2 "push" data via "push()" and create a new child node (randomIdforchild2).

    parent
|--randomIdforchild2
   |--resetparentData: false
   |--addData: true

  2. User 3 "push" some data via "push(), resulting in a new child node (randomIdforchild3).

    parent
|--randomIdforchild2
|  |--resetparentData: false
|  |--addData: true
|--randomIdforchild3
   |--resetparentData: false
   |--addData: true

  3. User 1 is adding data to parent node via "set()". This will reset parent node.

    parent
|--childNodeNameByUser1
   |--resetparentData: true
   |--addData: true

For this particular scenario, you should rethink your data structure and node access permissions (firebase database security rules).

Due to the permission that every user have, an exploring developer "User 1" can actually issue "set()" request in place of "push()" which overwrites previous data.Here you need to restructure your data model.

It may vary in your case.

Hope this makes you clear.

Reference: Understand Firebase Realtime Database Rules

Upvotes: 1

Frank van Puffelen
Frank van Puffelen

Reputation: 599706

Since Firebase is a cloud-hosted database, it needs to be accessible to your users. The information in that scripts allows everyone to find your database and thus access it.

But by implementing the security rules that @FowotadeBabajide linked to you can control who can access what data, and validate that the data is in the format your app expects.

The topic is incredibly broad, so I recommend starting with the Firebase documentation on database security and then reading some questions with the tag.

Upvotes: 2

Related Questions