Google Firebase detailed security rules Part 1

Posted on

by Waleed S.

I’ll be showing you how Google’s Firebase security rules in detail with my custom iOS app with slight changes. In addition to securing your Google Firebase API’s, you must also secure your Firebase Realtime Database. This is secured by applying security rules to the database in the Firebase console. I highly recommend using the provided simulator to test and verify the expected results that you expect for your web or application! I will not be responsible for your misconfiguration or lack of understanding of what this article entails.

Basic rules

100% Closed

// These rules don't allow anyone to read or write access to your database
{
  "rules": {
    ".read": false,
    ".write": false
  }
}

This is the MOST restrictive rule, no one is allowed to do any CRUD operations. Also, this is the least useful one. (I don’t know why I even bothered with typing this 🙂 let’s continue)

This below is open for anyone in the world to read and write, even worse than the most restrictive security rules.

100% Open


// OPEN TO THE WHOLE WORLD
// read and write access to your database
{
  "rules": {
    ".read": true,
    ".write": true
  }
}

This one below is a good starting point but it does require modification depending on your needs. If you’re going to have users sign up and sign in functionality then start with this.

User ID based

// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
  "rules": {
   ".read": "auth != null",
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

The first rule means only authenticated users can read everything! Which is most likely what you want to start with. The second rule says only information from the “users” tree that has a node ID that is equal to the current user’s ID, may have full read and write permissions on that exact node. In the example below, the current user has full access to node1, not node2. 

// assume current user id is 22222222222

someApp-1234
 users
  node1: 11111111111
    key: value
    key: value
  node2: 22222222222
    key: value
    key: value

References

Published by

Waleed S.

Waleed S.

It's me!

One thought on “Google Firebase detailed security rules Part 1

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.