Questions about Firebase rules

deanart2012 · November 16, 2020, 9:30pm

I want to create a chat app. When you are on the main menu you can select “Chat”. This creates a unique username for you and you enter the chatroom. Someone else comes along and the two of you are connected. You can then chat to each other.

The messaging is done via Firebase. When a user types a message it is stored to Firebase. The DataChanged block will then display the message on the other person’s phone. Therefore only the latest message is stored in Firebase. Once one or both users leave the chatroom the message is deleted from Firebase.

In my app I do not ask for any user details at all (ie name, email, phone number etc).

If I leave read and write rules to true anyone can hack my database.

Does this mean a hacker can delete/modify the latest message the users are exchanging?

To secure Firebase I need to authenticate users. This means their details will need to be stored in Firebase. However, I do not want to store any of these details. Only the latest message should be stored.

How can I secure Firebase without authenticating users?

TIMAI2 · November 16, 2020, 9:37pm

Yes
You can't

TIMAI2 · November 16, 2020, 9:41pm

That was the short answer

If someone else has access to your aia project or firebase url or API key then they can wipe your data.

Words of warning here

You can make your firebase read only to anyone, but you would need to have an authenticated user to write data.

I cover firebase rules here:

deanart2012 · November 17, 2020, 12:02am

Thanks for your help.

system · November 24, 2020, 12:02am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.