Stack Overflow
Stack Overflow

Questions tagged [firebase-security]

The Firebase Security API uses a flexible authentication system and an expression-based rules language to provide a very flexible security model.

Security Rules determine who has read and write access to the data in your Firebase Database, Cloud Storage for Firebase, and Cloud Firestore. These rules live on the Firebase servers and are enforced automatically at all times. Every read and write request will only be completed if your rules allow it.

For the Firebase Database and Cloud Firestore, the rules also validate how your data is structured, and what indexes exist. For Cloud Storage, the rules can also be used for data validation, including validating file name and path as well as file metadata properties such as content type and size. For Cloud

To learn more about Firebase's Security API, see:

Related tags

5411 questions
13
votes
2 answers

How to only allow one admin user to write Firebase Database?

I am trying to set up a Firebase database that only I can write. So no user will have permission to write anything. But everyone will be able to read it. However, I could not set up the rules for it. I have one admin user that I created using…
yigitserin
  • 355
  • 1
  • 2
  • 13
13
votes
5 answers

Firebase Google Auth offline access_type in order to get a token refresh

We are using firebase with google authentication. We chose Google because our application makes Google API calls. We authorize these api calls with the access_token included in authorization payload that is returned from firebase. However, we are…
hubbardr
  • 3,153
  • 1
  • 21
  • 27
13
votes
3 answers

Firebase how to secure numeric data from manipulation by users, eg. game score

I am developing a multiplayer game with Firebase. Player score is recorded in firebase after each game, and also a playerTotalScore field is updated with the new total. My question: Is it possible to secure playerTotalScore field against arbitrary…
Jarnal
  • 2,138
  • 2
  • 26
  • 43
12
votes
1 answer

GCP: How to grant a role to a service account on a Firestore collection?

We can share a BigQuery dataset with a service account, we can add a service account as a member to a specific bucket by assigning to it a specific role....using graphic interface. What about Firestore? Can we share a specific collection with a…
Farah
  • 2,469
  • 5
  • 31
  • 52
12
votes
0 answers

How to deal with firebase "No auth token for request"

I'm using a firebase cloud storage to write files to and from a (react-native) android app, and even though my rules are on public, my device log keeps spitting out: W/NetworkRequest: no auth token for request and W/StorageUtil: no auth token for…
niedem
  • 147
  • 8
12
votes
1 answer

Function not found error: Name: [get]. in firestore security rules simulation

match /UserProfile { match /{uId}{ allow get: if isUserLoggedIn() && !isUserBlocked(uId); } when i try to get data from UserProfile/{uId} using the above security rules it throws the following error in the firestore and in code it says…
Harkal
  • 1,770
  • 12
  • 28
12
votes
1 answer

Prevent duplicate entries in Firestore rules not working

I'm trying to prevent duplicate entries using Google Firestore rules, however it's not working. The rule I'm trying is: service cloud.firestore { // Prevent duplicate messages match /databases/{database}/documents { match…
Maarten Raaijmakers
  • 615
  • 2
  • 8
  • 20
12
votes
2 answers

Firestore security rules: How to validate that a field is undefined?

When a user signs up and they initialise their data in firestore, I want to validate that they aren't attempting to set their role (i.e. so they're not setting it to 'admin' for example). I tried to write this: match /users/{userId} { allow…
Joseph Humfrey
  • 2,974
  • 2
  • 23
  • 34
12
votes
1 answer

Firestore: Delete document and security rules

Description I have a problem dealing with deletion using firestore. In short, I created a security rule for posts like this: First there are some functions in the rules: service cloud.firestore { function userRoles() { return ['admin',…
Selast Lambou
  • 708
  • 12
  • 27
12
votes
3 answers

Firestore rules if..else

I have just started to get my head around Firestore rules and my head is expanding rapidly. I'm trying to work out how to apply a rule to one collection and another rule to all other collections and their sub-collections. So I start with the default…
Chris Curnow
  • 643
  • 5
  • 15
12
votes
3 answers

firestore security rule request.auth.uid is not working

Firestore security rules do not work. Help me. Document data of users/userid could not be read. ----------Security Rule------------ service cloud.firestore { match /databases/{database}/documents { match /users/{userId=**} { // Missing or…
Shinya Ueda
  • 331
  • 1
  • 2
  • 7
12
votes
1 answer

Firebase Storage Custom metadata security rule for list of uids

I'm developing a messaging iOS app, where a user can send the same message to multiple people. The message is saved in firebase storage. I want to only enable the users who have been sent the message to be able to read it from storage. I am already…
Edward
  • 2,864
  • 2
  • 29
  • 39
12
votes
2 answers

Firebase Storage Post rules apply to Delete rules

This are my rules, applied to an img dir: match /img { match /{fileId} { allow read, write: if request.resource.contentType.matches('image/jpeg') || request.resource.contentType.matches('image/png') …
cerealex
  • 1,649
  • 4
  • 17
  • 37
12
votes
1 answer

Firebase: How to structure public/private user data

Naturally the users in my database have information that can be publicly accessible and other information only they should see. I'm considering two different ways to implement this. Option 1: Have /users/$uid readable only by that user and have…
Jacob Phillips
  • 8,841
  • 3
  • 51
  • 66
12
votes
2 answers

Only allow writes from service account in Firebase?

I would like make writes to my Firebase data from a node.js server but deny all writes to any other client. Any other client should only be allowed read access. What is the best approach for this? Would I need to authenticate from node.js server…
nomad
  • 1,699
  • 5
  • 21
  • 35
1 2 3
99 100