How to Build a Secure App in Firebase (Firebase Pro Series)
ฝัง
- เผยแพร่เมื่อ 16 ส.ค. 2018
- The Firebase Pro Series is back to teach you how to build a secure app in Firebase! This week, Mike McDonald dives deep into Firebase Security Rules, because he’s secured more apps than he can count. Mike walks you through making a chatroom app that is secure for individuals and groups. Learn how to protect data in Cloud Storage and Cloud Firestore through defining resource types and validating inputs. Stay safe, Firebase developers, and don’t forget to let us know all your burning security questions in the comments below!
Firebase Security Rules documentation → bit.ly/2MRUIUA
Subscribe to the Firebase channel → bit.ly/firebase2
Firebase Pro Series playlist → bit.ly/2OX98nH - วิทยาศาสตร์และเทคโนโลยี
![อยู่ได้แล้ว - LIPTA feat. Mirrr [OFFICIAL MV]](http://i.ytimg.com/vi/-9-hpntNym4/mqdefault.jpg)
![เบิ้ล ปทุมราช - อ้ายกินดอง น้องลาบงัว ft. สแน็ก อัจฉรีย์ [OFFICIAL MV]](http://i.ytimg.com/vi/-OK--KaSPcI/mqdefault.jpg)
"Because this is Google, we're going to build a new chat app" 😂
1:04
Indedd it's happening, with the latest one, Duo to "replace" Hangout.
Yeah!!! New chat app every day is sooooooooooo Google 😂😂😂😂
Lol 🤣
now meet 😂😂
Google Talk -> Google Hangout -> Duo -> Meet 🤣🤣
This video is a must watch if you're a firebase user!
Awesome post! I was waiting for a really good video of implementing role-based security.
This is exactly what I wanted to see! Thank you 🔥
I usually stayed away from building logic in the rules but this is clear on how I can do so. This is good stuff, thx!
This was awesome! Please do make more videos like these. Security rules is taking me a while to understand but these real world examples help.
Wow! Super useful video, thank you guys, great great work!
Great video folks!
Really helpful instruction - thank you!
Really good video, thanks!!
This is really great video!!! Thanks
This is great, thanks!
Thank you for this awesome video
Great video. Creating Firestore rules helps to reduce code overhead !
Questions :
- Can I do crazy things in functions, like fetch ? (not an actual use case, just to know the limit)
- Is there a performance impact, when accessing data, to check data with functions ?
- Are ES6 functions supported ? const fn = param => { /* something */ }
Awesome series guys, just found an error at 7:29 shouldn't the `isUser` and `isAdminUser` functions param be used in the function body? So pass in say `userDoc` then check `userDoc.size() == 1` and not `message.size() == 1`.
I would also love to see some advanced data modelling tips using Firestore and how to use references to other docs.
How did you guys manage to get syntax highlighting on .rules file? :O
This is great !!
best intro ever :)
freaking awesome
Great video! [ 5:33 and 7:27 ]There is an error inside these functions, the parameter is called user, and instead message is used.
Good stuff
Security is First.....Good Video
I love this. Can you do a video on how to secure an e-commerce website?
Now that's the guy I want to see in a firebase video
The ```isUser()``` function is with the parameter ```user``` and ```message``` is used inside the definition. And in Firestore it became ```userDoc```.
Not to be like nitpicking, but please get the demo right because we trust you guys to be "Pros"
Can we get a similar video with advanced security rules for Realtime Database please?
Great tutorial!
But wouldn’t it be easier to integrate schemas for Firestore?
Also, the “Authentication and User-Document” design pattern seems to be a desirable feature? So why not allowing custom meta data for Auth objects?
What about the code on the console for real-time database?
in your /match/{userId} you're checking if the the request.auth.uid is both equal AND not equal to userId so it will not work?
Just wow.
Is there any way to secure the contents of an array using firestore rules?
Awesome video - very timely for me. Is the code available anywhere?
How can you achieve syntax highlighting?
I've found this plugin for VS Code (github.com/toba/vsfire), but is there one for WebStorm?
@5:37 the isUser function must be using user ref or it has to use message ref
According to me that's an error here 😅😅😅
Could you elaborate on User/Role initialization. That is, what would be the best way to initialize the first Admin role User?
I'd probably just do that through the console manually
Hi, Nice and helpful Video -Thanks.
Question- In an app if/where we wish to limit the 'read, write' for any user to limit to just the records created by that user - how do I define the rule on server?
The document field that has the user info (uid) is author_id - I tried this
[service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid == resource.data.author_id;
...]
and also tried various other combinations - it did not work.
Important - I do NOT wish to specify this filter on the client side - because anyone can change the client JavaScript and remove the filter thereby seeing ALL the records.
[this.db.collection('mytable', ref => ref.where('author_id', '==', this.authService.getUser().uid)).snapshotChanges().map(docArray => ...
and hacker may replace the above example code with this on client JavaScript before the post command.
this.db.collection('mytable').snapshotChanges().map(docArray => ...] (where clause removed)
]
Please help!
Great video! I would like to know how to avoid someone from making too many requests, even if it’s an authenticated user they could make thousands of requests per second. Is there a way to prevent this? Otherwise this would cost a lot since firebase charges per use
I have seen looking for the answer to this very question, hopefully someone replies with some good leads.
stackoverflow.com/questions/47050240/firebase-cloud-function-how-to-deal-with-continuous-request
If you have authenticated users you could add a document where you store the timestamp of the last request. In your security rules, you can compare the timestamp of the request and the timestamp of the last request. The most important thing is, firestore can't be your cms system for let's say your public website. you should only use firestore with authenticated users. Any public data can be misused. Another possibility would be to create anonymous users for every visitor - at least that gives you a little bit of restriction. And of course, disable localhost as allowed domains for creating users so that users can't be created from any localhost. I know one year later but perhaps still useful.
Can we similarly apply these roles to Firebase Realtime DB too? 😋
Both isUser and isAdminUser have a 'user' parameter but make use of a 'message' object. Am I not following or is that a mistake?
how to integrate stripe with firebase cloud funtions
Hi! Here's a great resource for handling stripe integration by AngularFirebase th-cam.com/video/Lb-Pnytoi-8/w-d-xo.html
See if it's what you are looking for: th-cam.com/video/_lZc2O2oUJk/w-d-xo.html. Angular Firebase channel(th-cam.com/channels/sBjURrPoezykLs9EqgamOA.html) has some awesome videos.
th-cam.com/video/NsPGRIVOg0U/w-d-xo.html
Why hasn't these series (The pro series) grown at all? We really need advance and pro videos from Google engineers than someone trying to make sales pitch to buy into Firebase.
Can't wait to see all the pwned apps build in Firebase.
The isUser function have a issue, the function parm is user, but in the function you're using message.
Can the next video be how to deploy a React Nodejs Firebase web app?
Hey Mike, I have followed your approach by using the RoomExists check and have found that it doesn't work as expected. If you actually perform a SET and the document exists the SET performs an UPDATE and as such bypasses your !roomexists check. Granted, since there is no UPDATE rule any update would fail. So my question is why have the check in the first place? Watching the video it seems like you are trying to convey that the roomExists check actually stops a create if TRUE...well, it does but not really so its a little misleading.
I think this approach is not solving bootstrapping problem. How can i give user the admin role? @Mike McDonald
👍
firebase is touted to be extremely easy. the rules system hopefully allays all those misconceptions
Firebase & Elasticsearch ?
Repo for this example? I want to steal it!
I would appreciate a focus on locking down a vanilla JS PWA to ensure that only authenticated users can run the app.
because this is google we're gonna build a new group chat app LOOOOOL
It should be, "How to Build Secure Chat App in Firebase". I thought it's a general video on security in Firebase.
request.resource.data.size() does not work in the wild. The simulator will pass the rule, but in the wild it will fail.
Edit: I discovered why! request.resource.data will add fields that exist in the document even if they are not in the request. Must be a bug in the simulator. I wanted to prevent a field from being changed, ended up having to add it to the fields I was counting on receiving and then add a request.resource.data.xyz == resource.data.xyz clause to prevent it from being changed.
yeah, i have the same problem today, thinking that request.resource.data have only the update values, and the simulator not complaining.
but you can use `request.writeFields` to get the fields that are being updated, and to prevent a update on a field, you can do !('someField' in request.writeFields).
you can even create a function to simplify:
function notUpdating(field) {
return !(field in request.writeFields)
}
and just call notUpdating('someField')