26. Database Security Rules
Remember the database rules we changed? We made it so anyone can read and write data without checking authentication.
Let’s change it back to the default rules, which means that users need to be authenticated to read and write data. These rules are enforced by the Firebase servers. So there is no way for our users to bypass the rules that we set.
These rules are a good starting point for a simple chat app like FriendlyChat, but there are certainly plenty of cases where we will want to further restrict access. Let’s examine how Firebase Database security rules make this possible.
Rule Types
Firebase allows three main rule types: .read, .write. And .validate. Each of these can be set to “true” or “false” and can apply to the whole database or a particular location in the database depending on how they are configured.
| Rule Type | Description |
|---|---|
| .read | Describes whether data can be read by the user. |
| .write | Describes whether data can be written by the user. |
| .validate | Defines what a correctly formatted value looks like, whether it has child nodes, and the data type. |
Predefined Variables
Firebase Database Security includes a set of predefined variables that enable you to customize data accessibility. Below is a list of predefined variables and a link to each API reference.
|Variable |Description|
|------------------ --------------|
|now | The current time in milliseconds since Unix epoch time (January 1, 1970)|
| root | Corresponds to the current data at the root of the database. You can use this to read any data in your database in your rule expressions. |
|newData | Corresponds to the data that will result if the write is allowed|
|data | Corresponds to the current data in Firebase Realtime Database at the location of the currently executing rule.|
|$variables | A wildcard path used to represent ids and dynamic child keys.|
|auth | Contains the token payload if a user is authenticated, or null if the user isn't authenticated.|
We will expand on the auth variable because we will use it in database security examples.
Auth
The auth variable contains the JSON web token for the user. A JSON Web Token is a standard that defines a way of securely transmitting information between parties, like the database and a client, as a JSON object. Once a user is authenticated, this token contains the provider, the uid, and the Firebase Auth ID token.
The provider is the method of authentication, such as email/password, Google Sign In, or Facebook Login.
The uid is a unique user ID. This ID is guaranteed to be unique across all providers, so a user that authenticates with Google and a user that authenticates with email/password do not risk having the same identification.
The Firebase Auth ID is a web token. Yes, this means that there is a web token inside of the Auth web token! This token can contain the following data:
| Data | Description |
|---|---|
| The email address associated with the account. | |
| email_verified | A boolean that is true if the user has verified they have access to the email address. Some providers automatically verify email addresses. You can customize authentication to include email verification for email/password on iOS. |
| name | The user’s display name, if one is set. |
| sub | The user’s Firebase uID. |
| firebase.identities | Dictionary of all the identities that are associated with this user's account. |
| firebase.sign_in_provider | The sign-in provider used to obtain this Firebase Auth ID token. |