phpfirebasefirebase-realtime-databasefirebase-security

How to properly set a secured Firebase rules


I used the following code in PHP to insert records into Realtime Firebase and it's working fine.

// Initialize Firebase Credentials
const URL = 'Firebase URL GOES HERE';
const TOKEN = 'Firebase Access Token';

const PATH = '/myapp/usersinfo';

use Firebase\FirebaseLib;

$firebase = new FirebaseLib(URL, TOKEN);

$data = [
'email' => 'test@gmail.com',
'fullname' => 'Nancy Moree',

];
$tim =  time();


$add = $firebase->set(PATH . '/' . $tim, $data);

Now I needed to set Firebase rules.

This is what I set but Google sent me a message on email that my Firebase rules are insecure and that it can allow anyone to access my entire database.

{
  "rules": {
    "myapp": {
      ".read": true,
      ".write": false
    }
  }
}
 

How do I configure a secured rules as my Firebase path is

const PATH = '/myapp/usersinfo';

Solution

  • With your current security rules, anyone anywhere can read the entire database simply by accessing https:<your database>.firebaseio.com/.json. Given that you have user data even in your code sample, that is a security risk - which is what Firebase warns you for.

    To secure access, your rules should allow only the exact access that your code needs - and nothing more. So if your code accesses /myapp/usersinfo, then the first step is to only allow read access to that node and nowhere else. Check the documentation on security rules to learn more about that.

    Typically you'll be able to lock it down further. For example, if your code actually only reads the data for the current user, you can implement owner-only access.

    As Doug commented, we can't implement all the rules for you, but the important thing is to ensure your security rules only allow the minimal access that your code requires. Anything more that the rules allow is a security risk for the data you store.