This question already has answers here:
Firestore Security Rules: Passing a request parameter in a get() call?
(1 answer)
Can I send value with request to Firestore rules
(2 answers)
Closed 3 months ago.
I have a URL like: https://myweb.com/customer/order?resId={resId}&tableId={tableId}
i research a lot but kind of like my issue was not anyone refuse yet: https://firebase.google.com/docs/rules/get-started
and I want to access this URL to allow read, and write without auth because I tend to use this route for Customers who scan QR and direct to my website
and my Firebase Cloud have tree collection like restaurant (auto-generate-ID) > table(auto-generate-ID)
What can I do to handle, please help me
Related
This question already has answers here:
What is the purpose of Firebase AppCheck?
(3 answers)
Does Firebase App Check discard the need for implementing Security Rules?
(1 answer)
Closed 6 months ago.
I have built an app (Android/iOS) using Flutter that allows its users to configure the app to receive a daily notification. Users can also submit a textfield. There is no requirement for users to register and authenticate.
I am using Firestore to store data from the app.
I have architected the app so that the Firestore rules allow any access:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
To prevent anyone accessing my app's Firestore instance, I have implemented App Check, and Enforcement is enabled.
I have begun to get messages from Google '[Firebase] Your Cloud Firestore database has insecure rules'.
Can anyone advise:
Should I ignore the warnings from Google?
Must I implement user registration and authentiation when it's not necessary for the app?
Should I architect my app in a different way?
Should I do something else?
Thanks,
Luke
Should I ignore the warnings from Google?
Ignoring the warning is not recommended as it may cause security issues.
If you're allowing anyone to access database, then they can take advantage and modify, or delete your data. And your database remain unsecured
2.Must I implement user registration and authentiation when it's not necessary for the app?
If it is not necessary for authenticating user for your application then you can apply some validation rules to restrict certain database nodes or you can permit role based access. In this way you can reduce security issues.
#samthecodingman has given excellent details about number of ways to tighten up database to prevent security issues in similar thread
This question already has answers here:
Firebase Database - Risks associated with exposing uid on the client side?
(1 answer)
Is auth.uid a shared secret?
(2 answers)
Closed 2 years ago.
I'm designing a Firestore database for a Facebook-like, social media app and giving the users the option of posting publicly (name included) or anonymously. I had planned on putting all the posts in a top-level collection and using a uid field so users could retrieve and edit their own posts. However, it occurs to be that these uids would be pulled down when users read anonymous posts, so vulnerable to hacking? (e.g., finding non-anonymous posts with the same uids and exposing the user.)
So, now I'm thinking I'll keep the posts as subcollections of the user so that a uid isn't required.
Is my security concern valid? If so, is subcollections the better/best approach?
EDIT: My question is not a duplicate of this question or this question because it's asking about keeping user's anonymity, not editing their data.
Your point is right - the user ids could be exposed via initial method. There are several methods to approach this based on your solution.
All posts in users/{uid}/posts/{pid}
I wouldn't rate it the best method as it would require you to query all subcollections of user/post to show a "news feed".
Keeping the current structure & setting userid to anon
You can keep the current structure & set user id to anon in the document. This wouldn't let the OP edit his own anonymous post. To fix that, we can have another subcollection in users/{uid}/posts/{pid}. That would contain a "link" to posts/{pid}
This method is a combination of both of your methods.
This question already has answers here:
Is there any way to give everyone access to firestore database, but only via app?
(1 answer)
How can I set Rules in Firebase so that only my app can write on my database firestore?
(1 answer)
Closed 2 years ago.
I am making a mobile app with Firestore and React Native.
There is no authentication system and upon starting the app, the user download a collection from Firestore.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
}
}
}
As of right now, the rule allows everyone to read from the database. Is it possible/advisable to limit the traffic to only our mobile app?
It's not possible to use security rules to limit access to a certain app. If your rules allow read access without requiring a sign-in using Firebase Authentication, then anyone with an internet connection can perform reads.
Minimally, you could require anonymous authentication. But that still would not stop someone from creating an account and using that to read everything without going through the app.
This question already has answers here:
Why doesn't adding CORS headers to an OPTIONS route allow browsers to access my API?
(36 answers)
How does the 'Access-Control-Allow-Origin' header work?
(19 answers)
Closed 4 years ago.
I am deploying my first app on heroku. (It's a node.js/react app.) The app has deployed successfully, but when I try to login I get this error:
Access to XMLHttpRequest at 'https://<myApp>.herokuapp.com/users' from origin
'https://<myApp>-front-end.herokuapp.com' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check: No 'Access-
Control-Allow-Origin' header is present on the requested resource.
I know other answers explain how to fix this problem with a proxy url, but I am wondering whether I did something wrong in the first place. Following an online tutorial, I deployed the front end and back end separately, and that seems to be causing the problem. Should I have deployed the front end and back end together to avoid this problem? Or is getting around this problem a normal part of deploying an app?
This question already has an answer here:
"Requires a valid user is specified ..." error when using getCount
(1 answer)
Closed 5 years ago.
I would like to share with another friend's wall. but get the following error
Fatal error: Uncaught Exception: 240: Requires a valid user is specified (either via the session or via the API parameter for specifying the user.
Next time you should search Google before asking a question.
The answer to the this duplicate question will give you the answer for this question.
You can find the Test Console for REST API user.setstatus here for assistance.