CODEWITHSUNDEEP
javaandroidfirebasefirebase-security
Cod3Flu3nc3
Cod3Flu3nc3

Reputation: 147

Firebase Realtime Database Privacy best practice

I'm playing with Firebase Realtime Database and after a while I start wondering if there are best practice to structure the database for privacy.

I mean, I see best practice for performance like database fan-out 

Map updatedUser = new HashMap();
newPost.put("name", "Shannon");
newPost.put("username": "shannonrules");

Firebase ref = new Firebase("https://<YOUR-FIREBASE-APP>.firebaseio.com/");

Map fanoutObject = new HashMap();
fanoutObject.put("/users/1", updatedUser);
fanoutObject.put("/usersWhoAreCool/1", updatedUser);
fanoutObject.put("/usersToGiveFreeStuffTo/1", updatedUser);

ref.updateChildren(fanoutObject); // atomic updating goodness

But I did found nothing about privacy polices.

I know there are Database ACL that I can use to, for example, restrict access to users not authenticate or users there are not the "owner" of a particular node... but for those nodes that are readable someone could be, if he would, access the entire children of those nodes.

Suggestions?

EDIT: Database rules are not descendant so if I let users read a node they alway can read all nodes below:

{
  "rules": {
     "foo": {
        // allows read to /foo/*
        ".read": "data.child('baz').val() === true",
        "bar": {
          /* ignored, since read was allowed already */
          ".read": false
        }
     }
  }
}

Upvotes: 1

Views: 668

Answers (2)

andygeers
andygeers

Reputation: 6966

If you need ACL style security, take a look at Custom Auth Claims - using Cloud Functions you can add your own properties to a user's JWT auth token, e.g. to say which groups they belong to or which products they have purchased. Then your security rules can look at those properties upon the user and decide if they can access a particular node.

Upvotes: 0

Alex Mamo
Alex Mamo

Reputation: 138824

You can secure your database using Firebase Realtime Database Rules.

Firebase Realtime Database Rules determine who has read and write access to your database, how your data is structured, and what indexes exist. These rules live on the Firebase servers and are enforced automatically at all times. Every read and write request will only be completed if your rules allow it. By default, your rules are set to allow only authenticated users full read and write access to your database. This is to protect your database from abuse until you have time to customize your rules or set up authentication.

All your requirements can be met using security rules.

Upvotes: 1

Related Questions