search

AleBarreto / FirebaseAndroidChat

Chat with features : Login with Google | Send Photo Camera | Send Photo Gallery | Send Location
591 stars 241 forks source link

Please provide Firebase rules used #28

Open androidovshchik opened 5 years ago

fritexvz commented 5 years ago

Use Real Database - click on the dropdown select "Cloud FireStore" and choose Real-Time Database.

{
  /* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
  "rules": {
    ".read": true,
    ".write": true
  }
}
androidovshchik commented 5 years ago

@fritexvz Sorry but this is a very very bad config) Is there any more secure?

fritexvz commented 5 years ago

True said. You can use it for debug and testing.

But, regarding the security, this one is the most suitable:

DB
{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

STORAGE
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth!=null;
    }
  }
}

Description: Account has to be signed-in, with one or more enabled options available on Firebase Sign-in method tab.

Full link: https://stackoverflow.com/questions/42101663/firebase-database-secure-without-firebase-auth

With the above rules you cannot even read the JSON file with basic HTTP URL like exmplained here (REST API) - without authenticated user: https://firebase.google.com/docs/reference/rest/database#section-param-download

I suppose you are using Realtime Database? I am not yet familiar with Firestore.