I bet the live audience was bewildered. I had to pause/rewind very often to absorb everything. But this video helped me out HUGELY with my project. Thumbs up!
I think that everyone who watched this talk (except that thumbs down guy) agrees that it's probably the best Firebase talk, and a very high-quality one, which is really great for a such important topic as security! I don't have much experience in security (apart from avoiding obvious flaws), but as an Android Developer, I found this very understandable. Thanks a lot Jacob, and thanks to Firebase and Google too for making it possible!
Jacob I finished my last app last June from the Udacity Android Nanodegree using Firebase. Your explanation is soooooo good mate. It is very easy to understand....Thanks for that...
+Jacob Wenger In the app that will read this data how would you go about finding the public metadata to display to the users what games are availabe? The read rule will not allow you to enumerate the key values for each game so you could query the metadata information? ex. You need to know the key (push id) in order to read the isPublic boolean in the metadata object. /games/-KHajPD89j1uEPr8-E5i/metadata/isPublic I'm trying to build a very similar type of structure for a idea that i have but i have a hard time making the data structure and how to manage security, i also want to control if a game is public or not and should be displayed to the user.
Hello, have you found a solution to this issue? I am exactly wondering the same thing; how can I retrieve the game ID's, if I don't have access to them
at 25:18 he says because read rules are ORed together the write overall will be allowed.This may not be right , I think he mistakenly said write it is actually read which is allowed because of rule cascading.
This video is AMAZING, even for a newbie like me I was able to build my security rules just by watching this video.... like 10 times haha. Thanks a lot Google!
318/5000 As you can validate what they say about security, when someone rides a snifer over the network and the user who has rights to read and write, access DB the key travels in the package to FIREBASE, this is intersected by the SNIFER and can use the key to access everything you want from that user.
At 12.50 ..shouldn't it be a &&(AND operator) instead of a ||(OR operator)? As anyone can still access the game data even with a anonymous authentication.
Hey Jacob, you've done a great job with this presentation! I was struggling to understand this stuff and you definetely saved me a lot of time! Thx a lot!
Nice presentation, Jacob. Security rules is quiet hard to understand but you've done it well, so new developers can understand it. But I am confused on how setup security rules for data which expands randomly?
7 ปีที่แล้ว
firebose connection string and data is visible, if we access data by browser, what can be done about that
it was taken too much efforts to learn these all thing back while when firebase release and this talk just give all in one shot, well thumbs up. and questions... 1. can we access database data in storage rules? 2. when will this new rules language will be available for database or will use bolt?
1. can we access database data in storage rules? Not yet, although that is on our radar. See the discussion here: groups.google.com/forum/#!msg/firebase-talk/FxwKuGo2wpI/9jJ2huLEGwAJ 2. when will this new rules language will be available for database or will use bolt? We don't have any dates to announce. We would love to have a unified rules language at some point though. For the time being, continue to use things like Bolt.
I understand the principle and the need for security rules, and I am intending to write them as required. My questions is this... in the instance that I forgot/missed to put a rule in for a particular branch in the json tree... how will a user/anyone know the paths of my json tree to go go malicious adds/removes in the json tree?! In my example; I have an iOS app that has the UI, numerous viewControllers, that do all the add/remove of any info/objects to the Firebase backend... how would an end user even know how to manipulate the paths in my Firebase backend when they are not exposed to my Firebase structure!?
Hi Jacob. Thanks for such a good talk. Right now I'm migrating from Parse, but I've run into a problem that I can't figure out. May be you can give me a hint. I have an app where users can buy tickets to attend to training classes. With the tickets they can select which classes they want to attend to, and reschedule them. Let me show you an example: - Lets say a user buys tickets for 4 classes. - Then he assign them to 4 training classes. - One day he can't assist to one, so he deletes it and assign his ticket to a different one. The problem is that I need to keep track of the number of available tickets in order to let him assign them to classes, but if I grant him ".write" permissions, a user with technical knowledge could exploit this configuration and grant him unlimited classes. I also thought about using a counter of available tickets, but again, I would have to grant the user permissions to update this field and, eventually, run into the same issue. Any thoughts? Thanks again! PD: I hope I explained myself well.
This guy should act in Big Bang Theory :-) Seriously great stuff. Yet some question remains. In your example the users are unable to get list of "games" as they have no access right to that. $GameID is pretty much random. How do they setup an observer to "games" node to list the available gameIDs without having access? If I give them access to "games" then cascading applies. It is a bit unclear.
I'd like to know the answer to this too. At the moment, the only way I can see this working is to maintain a list of game ids somewhere else and use this list to iterate through the games and let firebase security reject access. I have no idea how performant that would be.
OneKarl1 yes this is how I solved this issue too. But then consistency problems arrise. I cannot ensure that ids exist on both nodes. I can setup a rule for one node to ensure that a given id exists on the other node but I cannot ensure the opposite direction. Result: orphaned nodes at the end. Firebase should support transactions more seriously than present with this approach. Also: do not rely on rejection scheme. Once you have access to a node later a rejection that node will not raise the "onremoved" event with your observer. So it will stuck in front of your user regardless that access has been denied later.
At 16:45 he introduces the metadata object to put all the public elements in. I am trying to do something similar in my project, and my question is, how do I collect the metadata into a JavaScript object? IF someone is interested in helping, here is a link to my question on Stack Overflow: stackoverflow.com/questions/46007534/getting-only-public-data-from-firebase-references-children
Very good information! Is there a version of this presentation that's meant just for those of us who are brand new to FireBase? Introducing all the old ways while explaining the new is really confusing when you're someone who never used the old to begin with. It feels like the presentation goes in circles over and over again for about the first half or so. I understand that it's important to do that for those who are long-time FireBase users, but for someone who's new, the first half of the video seems like a lot of "this would work, so let's do it, but no, that doesn't work, so we'll do this here, even though that doesn't work either, so now we'll do this..." repeatedly. It's too easy to get lost.
This was the best(most comprehensive and actually useful) talk out of all Firebase talks so far :thumbsup:
+Agon Bina yup .. most others were pretty superficial.. but he needed to be slow as he was explaining a critical part of the platform
Thanks guys! Glad you enjoyed the talk and got something out of it :)
It is pretty impressive he could convey that much info in just 43 minutes. Very good technical info, also being very well presented!
I bet the live audience was bewildered. I had to pause/rewind very often to absorb everything. But this video helped me out HUGELY with my project. Thumbs up!
I'm quite critical on how people teach things and I have to say that this was one of the best explanations for anything I've ever watched. Bravo!
instead of reading a lot of docs, I watch this. It's so useful
Great presentation Jacob! That was a goooooooooooaaaaaaaaaal!
Thanks! ⚽⚽⚽
RIP headphone users..
This was something that made some of the rules understandable!
Very good talk :D
I think that everyone who watched this talk (except that thumbs down guy) agrees that it's probably the best Firebase talk, and a very high-quality one, which is really great for a such important topic as security!
I don't have much experience in security (apart from avoiding obvious flaws), but as an Android Developer, I found this very understandable.
Thanks a lot Jacob, and thanks to Firebase and Google too for making it possible!
Jacob I finished my last app last June from the Udacity Android Nanodegree using Firebase. Your explanation is soooooo good mate. It is very easy to understand....Thanks for that...
+Jacob Wenger
In the app that will read this data how would you go about finding the public metadata to display to the users what games are availabe?
The read rule will not allow you to enumerate the key values for each game so you could query the metadata information?
ex. You need to know the key (push id) in order to read the isPublic boolean in the metadata object.
/games/-KHajPD89j1uEPr8-E5i/metadata/isPublic
I'm trying to build a very similar type of structure for a idea that i have but i have a hard time making the data structure and how to manage security, i also want to control if a game is public or not and should be displayed to the user.
Hello, have you found a solution to this issue? I am exactly wondering the same thing; how can I retrieve the game ID's, if I don't have access to them
same here
at 25:18 he says because read rules are ORed together the write overall will be allowed.This may not be right , I think he mistakenly said write it is actually read which is allowed because of rule cascading.
One of the amazing videos i have watched about Firebase!
Where do you get "gamesID" from?
why not changing database rules as the storage one? it would be more consistent and easier to use :c
This video is AMAZING, even for a newbie like me I was able to build my security rules just by watching this video.... like 10 times haha. Thanks a lot Google!
The API key and project name shown at 7:10 are not known to public, right? Does APK decompiling reveal these details?
Exactly what i was searching, Thanks!
Still one of the best Firebase related talks!
Can somebody help me with a few rules? (only need 2 to secure my DB)
318/5000
As you can validate what they say about security, when someone rides a snifer over the network and the user who has rights to read and write, access DB the key travels in the package to FIREBASE, this is intersected by the SNIFER and can use the key to access everything you want from that user.
At 12.50 ..shouldn't it be a &&(AND operator) instead of a ||(OR operator)? As anyone can still access the game data even with a anonymous authentication.
It's a public game, so perhaps it doesn't matter?
Hey Jacob, you've done a great job with this presentation! I was struggling to understand this stuff and you definetely saved me a lot of time! Thx a lot!
Nice presentation, Jacob. Security rules is quiet hard to understand but you've done it well, so new developers can understand it. But I am confused on how setup security rules for data which expands randomly?
firebose connection string and data is visible, if we access data by browser, what can be done about that
it was taken too much efforts to learn these all thing back while when firebase release and this talk just give all in one shot, well thumbs up.
and questions...
1. can we access database data in storage rules?
2. when will this new rules language will be available for database or will use bolt?
1. can we access database data in storage rules?
Not yet, although that is on our radar. See the discussion here: groups.google.com/forum/#!msg/firebase-talk/FxwKuGo2wpI/9jJ2huLEGwAJ
2. when will this new rules language will be available for database or will use bolt?
We don't have any dates to announce. We would love to have a unified rules language at some point though. For the time being, continue to use things like Bolt.
Well thanks a lot.
I understand the principle and the need for security rules, and I am intending to write them as required.
My questions is this... in the instance that I forgot/missed to put a rule in for a particular branch in the json tree... how will a user/anyone know the paths of my json tree to go go malicious adds/removes in the json tree?!
In my example; I have an iOS app that has the UI, numerous viewControllers, that do all the add/remove of any info/objects to the Firebase backend... how would an end user even know how to manipulate the paths in my Firebase backend when they are not exposed to my Firebase structure!?
This is a phenomenal presentation
ditto, one of the best talks on a critical part of firebase 😀
Why cant I host the firebase-data on my own server? Like RxDB or rethinkdb..
Excellent presentation, truly useful, thank you immensely !!!
was wondering all the time what is the server side language in firebase.. this answers it..
no language, just Rules :)
+Ivan Wang yup. Syntax similar to node js
Both the Database and Storage Rules languages are custom rules languages designed by the Firebase team, but they are heavily influenced by JavaScript.
Thanks yellow guy!
Made my day :D
Great presentation, you open a door to the development
hi, Jacob
Please can you direct me to how did you add Admin user to Realtime database
Nice presentation! Helped me clear a lot of the doubts I had.
how to use username/password combination authentication ??
Can we download the slides somewhere?
Hi Jacob.
Thanks for such a good talk.
Right now I'm migrating from Parse, but I've run into a problem that I can't figure out. May be you can give me a hint.
I have an app where users can buy tickets to attend to training classes. With the tickets they can select which classes they want to attend to, and reschedule them.
Let me show you an example:
- Lets say a user buys tickets for 4 classes.
- Then he assign them to 4 training classes.
- One day he can't assist to one, so he deletes it and assign his ticket to a different one.
The problem is that I need to keep track of the number of available tickets in order to let him assign them to classes, but if I grant him ".write" permissions, a user with technical knowledge could exploit this configuration and grant him unlimited classes.
I also thought about using a counter of available tickets, but again, I would have to grant the user permissions to update this field and, eventually, run into the same issue.
Any thoughts?
Thanks again!
PD: I hope I explained myself well.
Alejandro Jimenez you can count the number of nodes under tickets node and allow it only when it is less than purchased tickets
The issue is poor documentation.
Great talk! Given the content , incredibly clearly described. A+++
Is this information still up to date?
This guy should act in Big Bang Theory :-)
Seriously great stuff. Yet some question remains. In your example the users are unable to get list of "games" as they have no access right to that. $GameID is pretty much random. How do they setup an observer to "games" node to list the available gameIDs without having access? If I give them access to "games" then cascading applies. It is a bit unclear.
I'd like to know the answer to this too. At the moment, the only way I can see this working is to maintain a list of game ids somewhere else and use this list to iterate through the games and let firebase security reject access. I have no idea how performant that would be.
OneKarl1 yes this is how I solved this issue too. But then consistency problems arrise. I cannot ensure that ids exist on both nodes. I can setup a rule for one node to ensure that a given id exists on the other node but I cannot ensure the opposite direction. Result: orphaned nodes at the end. Firebase should support transactions more seriously than present with this approach.
Also: do not rely on rejection scheme. Once you have access to a node later a rejection that node will not raise the "onremoved" event with your observer. So it will stuck in front of your user regardless that access has been denied later.
Hi I am also facing same issue. Do you have answer ?
same
Amazing! Thank you Jacob! Perfect explanation
how to skip children node which the user has no privileges to visit?
can we retrieve data of authentication users
best explanation ever.
Can we borrow your code for example?
Awesome explanation
Amazing explanations!
thnaks you very much now i understand the roles better thanks.
Excellent this made many things clear
Flawless... thank you!
This is soooo well explained :)
At 16:45 he introduces the metadata object to put all the public elements in.
I am trying to do something similar in my project, and my question is, how do I collect the metadata into a JavaScript object? IF someone is interested in helping, here is a link to my question on Stack Overflow: stackoverflow.com/questions/46007534/getting-only-public-data-from-firebase-references-children
Very good information! Is there a version of this presentation that's meant just for those of us who are brand new to FireBase? Introducing all the old ways while explaining the new is really confusing when you're someone who never used the old to begin with. It feels like the presentation goes in circles over and over again for about the first half or so. I understand that it's important to do that for those who are long-time FireBase users, but for someone who's new, the first half of the video seems like a lot of "this would work, so let's do it, but no, that doesn't work, so we'll do this here, even though that doesn't work either, so now we'll do this..." repeatedly. It's too easy to get lost.
31:45 lol
Such a great tutorial :D
14:48
Wow, awesome.
Great presentation but I think this is the worst part of Firebase.. quite primitive. If a slick UI was built for the rules it could be better.
It's not soccer, it's called football;)
Most chairs are empty.....
He has made it too complex