ไม่สามารถเล่นวิดีโอนี้
ขออภัยในความไม่สะดวก
Security Rules deep dive
ฝัง
- เผยแพร่เมื่อ 31 ก.ค. 2024
- In Firebase, you can directly access the backend from your client app - so how can you keep your users' data safe and secure? The short answer is Security Rules! Join Rachel and Sam to learn what Security Rules are and how you can use them to make sure only users can see and change their own data, how to use them to validate your application's data, and some pitfalls you'll want to avoid when implementing them in your app.
Chapters:
0:00 - Introduction
0:27 - How Firebase's architecture differs from traditional application architectures
0:55 - How can you keep your users' data secure in Firebase?
1:27 - Simple and complex Security Rules
2:15 - Match Statements
2:51 - Tip: Avoid Global Rules
3:02 - Tip: Use Rules like a Schema
3:12 - Permissions
3:45 - Tip: Avoid overlapping rules
3:50 - Conditions
4:10 - The Resource object
4:34 - The Request object
5:14 - Using custom functions
5:55 - How to model your data
6:48 - Data Validation
7:29 - Tip: Trusted Environments skip Security Rules
8:33 - Test Security Rules using the Firebase Emulator Suite
9:25 - Use the debug function to debug your rules
9:40 - Use the requests monitor to inspect incoming requests
10:20 - Wrap up and summary
Resources:
Firebase Authentication Documentation → goo.gle/3wT2SUn
Firebase Security Rules Documentation → goo.gle/30mZ4Mx
How to code review security rules → goo.gle/3kDZIiq
Codelab: Protect your data with Firestore Security Rules → goo.gle/3Hoh64w
Modeling your Firestore data → goo.gle/3qlVKOU
Catch more videos → goo.gle/BetterSafethanSorry
Subscribe to Firebase → goo.gle/Firebase
#Firebase #Developer #Security #Authentication #Authorization
product: Firebase - Security Rules; fullname: Sam Olsen, Rachel Myers;
What a clear explanation this was. Slow and clever. Thanks 😊
Thank you for your feedback, Sahan! Don't forget to check out the Codelab link below for a more hands-on experience 😄:
Protect Your Data with Firestore Security Rules → goo.gle/3Hoh64w
This video is great. Thank you.
Great video, this helps out a bunch! Thanks.
I learned more. Thanks a lot
I love firebase security rules, easy to understand and simple to test
I don't agree with the second part specially if you don't have the emulators
this video saved my life. nice tutorial
This was super informative!
Just getting started with them (already behind the 8-ball as I developed app with auth barely in the back of my mind) ... this was great info. Going to catch some more videos before I embark ... and will still be ready to revamp as I get more familiar with it.
I watched this video earlier and found you were answering questions that I had in mind, and I didn't know your Firebase videos included explanations to further knowledge on your Firebase docs, so it's really good to get this practical side from you and I will definitely be looking out for more ... It was Todd's video on unit testing that had me seeking videos by Rachel ... I think to add to the learning that is intended, that screenshots of the Firestore environment could be included for an explanation of how the values in rules or within Firestore correspond ... Right now I'm at 4:47 and I have a question ... The rule says allow 'create' if the ownerUID of an existing todo-collection document matches the user-identity of the current user ... My question is, would this rule work? Because 'create' seems to initiate a new document, so then I expect there to not be an existing document that would be relevant, or, at the very first time this rule is run, I would expect there'd be no possibility of a corresponding document ... Am I correct in this view or is there something I have misinterpreted here please?
Very well explained.
Glad you liked it
Question: I have used firebase for Unity extensively, within the Unity library you can import just firebase.authentication as a library and use it for authentication purposes. Now I am working on a python project using Django, and I want to use Firebase, I can see that there are some third-party libraries like pirebase, pirebase4 but no official firebase python library for authentication. Is the firebase_admin library a good choice? as it's available for python and does authentication.
Interesting ❤❤❤
TIL , thank you
Hello. What is the same way for Real Time Database?. Why all videos is only firestore?.
Is there a way to create custom functions in rtdb rules as well? I have to repeat the same rules over and over again and my code is becoming a mess...
Honestly, the best way to maintain RTDB rules is using BOLT to generate rules. github.com/FirebaseExtended/bolt/blob/master/docs/guide.md
I love you so muchhhhh
At 5:14 I have just noticed something for the first time ... The get( ) call begins with the name of the collection and not with /databases/{database}/documents/ etc ... My question is, under which circumstances could I get away with making a get( ) call in this way please? When is it okay to leave out /databases/ etc. and if the collection within the get( ) call is a sub-collection, could that collection be stated without also stating its parent collection?
With Firebase auth, how can I make it where you only need to login to homepage to get same account logged in on different pages??
Hi Bost, check out this other video I made earlier: th-cam.com/video/rbuSx1yEgV8/w-d-xo.html (Getting started with Firebase Authentication on the web - Firebase Fundamentals) - it covers how to monitor authentication state using onAuthStateChanged.
@@PeterFriese Hi there, I have tried this already, however when I try logging in to one page, it says my user is null on other pages. This is very frustrating as the user has to login to each page that requires login.
I think there's a bug in this example: `allow create: if resource.data.ownerUID == request.auth.uid`. In a create scenario, resource will always be null and that rule will always throw an exception, resulting in permission denied. I think you want `request.resourse.data.ownerUID`.
This is actually not a bug. It insures that no body can hijack the user session and in your front end you have to provide the Auth.UID within the payload of your document.
So every document has owner (Auth.UID).
Hope it's clear now.
@@3mro_coding I think it's just a typo and what they really want is `request.resourse.data.ownerUID`
@@3mro_coding Please explain this more. I don't get what you are saying.
I think it is a bug too. As a matter of fact at 4:09, they tell you that "Resource object is the document that the user is trying to access as it is currently written in the database. If this is the create method, the resource object will be empty."
hello sir, If i have a 'admin role' can read and write every documents, how can i write this role which overwrites other roles?
A rule can't "overwrite" another rule; any rule can grant *additional* access. This grants global access to admins; modify for however you're tracking admins:
```
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Allow admins to read or write to any document
match /{document=**} {
allow read, write: if auth.token.isAdmin == true;
}
// Rules for non-admins
// Blog posts
match /posts/{postID} {
allow create: if ;
...
}
}
}
```
@@rachelmmyers thank you so muchhh
You have to love Firebase ♥️
Thank you. However, is it possible to add a security rule which is only invoke when there is an attempt to update a particular field in a document?
Rules are written at the document level, not the field level. You can write a rule that only allows updates if a specific field is updated, but if you want to set different access controls on a specific field, pull that into a different document. Subcollections are great for that.
@@rachelmmyers Thank you some much
It's almost impossible to not have a server. You will need to execute code elsewhere. That's where cloud functions come in.
I m worried about firebase billing if my social media reached more then 1 million user 😭