Firebase database security without having to Authenticate (Web)

Question

I've been working with Firebase for 2 or 3 months, in the Android environment.

All my security was the User registration and Login and some DB rules based on the Authentication.

Now I'm starting a new project in Web environment (HTML and Javascript).

It should be a web application which connects to firebase to perform some write and read operations.

I don't want the user to authenticate because there's no need.

What scares me is the fact that all the HTML and javascript is visible by the browser developer console. Inside my Html there is the Firebase configuration which is needed to connect my project with the DB and all the other features.

It's safe to let everyone see the configuration?

Which is the correct way to implement security in this kind of situation?

Answer 1

Firebase Database access revolves around knowing the user and authorizing their usage based on that knowledge. If you don't require your web users to sign in, it is very easy to allow them access.

But how will you then control malicious users from overwriting everyone else's data or from locking access to the database for everyone else? Without knowing the identity of the malicious user your only options are to:

1. allow everyone in
2. allow no-one in

If you don't want to require your users to sign in, but still want to secure access based on knowing which user took each action, you can use Firebase's anonymous authentication. The code snippet from the docs:

firebase.auth().signInAnonymously().catch(function(error) {
  // Handle Errors here.
  var errorCode = error.code;
  var errorMessage = error.message;
  // ...
});

This is a single no-UI API call, that generates a unique ID for you users. So there's no burden on the user, but you can in your security rules still act on the UID of such users.