Reputation: 77
Firebase email saying my Realtime Database Rules has insecure rules
I want to piggy-back on a question asked years ago as I have the same rules Firebase email saying my realtime database has insecure rules
Here is my Rules:
- All Sign-in Methods are disabled except for email/password.
- I only have one account of email/password.
- I don't allow anyone to log in - no GUI to log into.
So the question is: What else can I do to totally secure my Firebase Database? Thanks!
Upvotes: 0
Views: 677
Answers (1)
Reputation: 83093
You have to know that as soon as (1) someone has the Web API Key of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the Web API Key is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
Consequently, rules only based on "auth != null" allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
Upvotes: 2
Related Questions
- Firebase email saying my realtime database has insecure rules
- Firebase Realtime Database Insecure Rule Warning
- issues with firebase rules
- Firebase Realtime Database xxxx-xxxx-4458' has insecure rules
- Firebase your realtime database has insecure rules warning
- Firebase Realtime database - insecure rules
- Warning from firebase realtime database regarding rules, but I have updated
- Issue with my Firebase realtime data base security rules
- Firebase realtime database rules simulation failed
- Firebase security rules problems