Questions about Firebase rules

I want to create a chat app. When you are on the main menu you can select “Chat”. This creates a unique username for you and you enter the chatroom. Someone else comes along and the two of you are connected. You can then chat to each other.

The messaging is done via Firebase. When a user types a message it is stored to Firebase. The DataChanged block will then display the message on the other person’s phone. Therefore only the latest message is stored in Firebase. Once one or both users leave the chatroom the message is deleted from Firebase.

In my app I do not ask for any user details at all (ie name, email, phone number etc).

If I leave read and write rules to true anyone can hack my database.

  1. Does this mean a hacker can delete/modify the latest message the users are exchanging?

To secure Firebase I need to authenticate users. This means their details will need to be stored in Firebase. However, I do not want to store any of these details. Only the latest message should be stored.

  1. How can I secure Firebase without authenticating users?
  1. Yes
  2. You can't

That was the short answer

  1. If someone else has access to your aia project or firebase url or API key then they can wipe your data.

Words of warning here

  1. You can make your firebase read only to anyone, but you would need to have an authenticated user to write data.

I cover firebase rules here:

Thanks for your help.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.