How To Make Your Firebase App SECURE - Firebase Rules

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

and today we are going to learn how we can make our apps secure because right now in all our projects that we've developed in a channel we haven't really taken care of security because I prefer to just look at logic and live security for you but now I'm going to give you some easy steps that you can take in order to make your app a lot more secure because remember firebase is also code of plain sight right now the only thing that we have are these things called REITs rules which will actually restrict the content that the user is able to read write or whatever according to the rules that you set and to the conditions that you want the user to be on so you'll be taking a look at three different cases study cases that are really common to find in a firebase project and hopefully you'll be able to apply them to your own project this will be really simple study cases but nonetheless you will be able to pick up one from this lesson and apply it in a more general approach so let's get right into it okay so here we are and for the sake of this lesson I created a database that has a structure which you would probably find in a real firebase project it has some things that don't make a lot of sense and you'll never do them exactly like this but the structure is sommore so it has some similar aspects to it okay so we have an admin and this no right here is just so that let's imagine that the user is going to load up these node and see if this running is true then it will continue to them to the project itself if running is false then it means that the app is down and for some reason the user can't login or use the app at all this is just for the admins so the user shouldn't be able to get to access to this so the user can only read the D admin whether the user is logged in or not then we have the users which has all of the user information so this one I have created the account for it so it has the D ash the ID of the user and then we have user 1 user 2 was with 3 user for they are all basically the same and what we want to do is to for the user to be able to if I'm not this user for example let's use the users because it is much easier to riously if I'm user 1 then I should be able to alter my email I should be able to read the content that's under my nose and so on and so forth but if I'm user 1 and I'm trying to change the the email of the user - I shouldn't be able to do that right and I shouldn't be able to add information because this is Justine for the user so this note should only be accessed or better yet changed by the user if the user is logged in to that node so that's one of the things that we want to do and then we move on to a more complicated issue which is let's say this chat and we have shot them connection and we have these users that are nested within each other so for these what I wanted to do is to emulate a shads so that if a user starts a chat with another then it will create two notes in here it will go to let's say we are user one and we want to chat with user two then we'll create a node inside it with inside ourselves with user two and create another one inside the user - with our ID so that's who we can comprehend each other and that we can know both so that we can both know who is following who or who has a shot with whom so inside here we have come information obviously this is just to translate something so that you know that you can't access it and so I just placed confidential imagine this is a bunch of data that only the user 1 and user 2 can access because they are in a conversation them both ok so that's it and this will be the most complicated one but it is really easy to to do nonetheless so now our rules are set to true and true this means that the user can read the data write data wherever she he or she wants with no problem at all and obviously this is not safe this is only meant for testing purposes and yeah that's why you have to be careful with this if you have true and true then make sure that by the end of the project you try to change this into something that's secure because this is an open door for anyone to do whatever they want with it ok so now I'm going to jump into the project that I've created just for this and I'm going to collapse this ok so we have a main activity which is this activity right here and we have the content activity which is the activity that the user goes to after registering ok and right now I have in the main activity it is running this function right here which is called the send get data so it just is a function for us to do whatever the hell we want and right now I'm just trying to get the main DB the main DB it's the whole database I'm trying to see if i if I'm able to without being logged in and without anything else can get all of the database and after we also test so if you can delete all of the database so I'm going to run this and let me just check right here ok I'm going to clear up the log and I'm logging these data these data into the V same color firebase and you can do this as well the V means that verbose and this first tag is something that we can look for in the in a log so it's much much easier to find because if you remove this then you can see a bunch of logs appear so if you want you to be more have an easier job and we just use a tab that's unique to us okay I'm going to quickly run the project and we should expect all of the database to appear here because our rules are set to true okay and as you can see these is all of the database and yeah so this isn't good I'm going to try yet another thing I'm just going to comment these outs and I'm going to use I'm going to do something that hackers like to do and people that want to mess we do you like to do which is just remove value now what do you think would happen if I removed value on the root of the database you will obviously clear everything up so you lose all the information that you have this is one of the reasons why backups are important even if you are using firebase simply come in here and export Jason okay that's something that you have to be accustomed to do from time to time okay so let's try to do this run it and let's see the magic happen okay it open up boom and the database is cleared like that with just one line of code you can effectively delete the whole database so that's not good at all I'm going to quickly import the database again this one yeah okay and yeah so now in order to make this a tiny bit safer and I just say a tiny bit because it is real clearly just a tiny beads I'm going to say that off must be different from node in the reads and the rights must also be different from though these simply means that and I forgot that we must enclosure this in double quotes so let me just do that this just means that the user must be logged in if the user wants to read or to write to the database it doesn't specify any notes it is generally the database so we these rules we shouldn't be able to just launch the app and be able to run the code that we have here so I'm going to again try to remove the value and just run it again I'm going to publish the rules okay and after they are published these warning will appear saying that any authenticated user can look into your database and change it effectively so but if the user isn't logged in then it can't do anything to the database and these rules are really simple and they applied again to every node of the database it applies to the most the route most through the route of the database better yet so let's try it again - to run the app thank you Rick's get out get in go to the database and try to access it and nothing happens hmm that's good you see so that's one of the things that we wanted and I'm going to come in here and to log and as you can see there is this line right here in the log that says set value at failed there is error permission denied and that's because we try to remove that value but as our rules say we must be logged in in order to change anything okay so now we are secure when it comes to the log in somewhat secure better yet so now one of the most basic things that we would like to do is to get the admin this value and we want any user to access it we don't want we don't need an authenticated user to be able to read this value but we don't want any user Erol to be able to write in here okay so to do that is really simple we simply must come in here and say expensive first of all I'm going to now I'm going to leave this for a bit and we must specify this node so admin two points open brackets and now we can specify what we want the user to be able to do inside of the node admin okay and so I'm going to just grab this copy it in here and as I said I I want the user to be able to read it any user doesn't need to be logged in but I don't want any user to be able to write in it so we set the read to true because we want everyone to be able to read it and we set to wrap the right to false because we don't want anyone where ourselves that we have access directly to the database we can simply come in here and change true this won't change because of the rules we can still do that because we are at the admin of the project but any user that's logging or that's using our app won't be able to do anything to it okay publish and one more thing because we've specified the admin and we remove the read and write from the root you can imagine this as the database that we have right here okay because we are only using the admin the firebase project will assume that any other note that's not specified in here will have the read and the write side to false so you have to when you start writing rules you have to do it for every single note main note where yet because otherwise the user won't be able to access any of that and yeah that's also not good so you when you start you have to go all the way basically so we have the reason set to true in the right side false and let's try to come in here so now we have the send get data and we are going to try to remove the admin DB and after that we are going to try and get the data from the admin DB okay so I expect this to fail but these two work even though we are not logged in okay so let's quickly run here open the lock cats remove this sim called firebase and whoops I missed it so I'm going to run it again and we were able to get the admin but worried we were able to delete it no the the admin running is still here and if you come in here and simply specify fire rising in the verbose log we can see again the permission denied okay so that's excellent that's exactly what we wanted and now we can move on from the main page and actually log in and try to do some things okay so next up we are going to work with the users so in the users again we want the user if we are user one for example we want to be able to read and to write inside it but if you are not user one but are trying to access the user one then we want to only be able to read okay so let's come in here in the content activity in here we are all already logged in because it is the main page and I'm going to come in here and log in right away test gmail.com 2 3 4 5 6 ok and you can see my ID in here and it matches the first user ok and when we click the button this fire button then the same that get data will happen ok so now we are going to try to get the user DB of ourselves so child oops and my keyboard just changed ok shoutouts firebase up lock yeah instance get UID this is our UID and we are going to try to get the data from it and we are also going to try and add the child to it so Charles I don't know let's go eat test test got set value so we feel if we we are logged in with our credentials then we will be able to do these rights and we'll be able to get this code that's what we want to do and but if we add the child's instead of firebase of getting cents get Eid we use for example user 1 then we don't want to be able to write in it and to do this it is extremely easy so let's come in here and go into the note that is relevant to us in this case it is user users better yet because it is this one then we'll have the wreath and the read will be applied to every single user because we want every user to be able to read every information of each other so there's no problem with that and we are going to say wait we're excited to true or better yet Oh different from null so the user must be logged in in order to read then we want to the end this read will be applied to every user but then we want to specify for each user with which user we are able to write data to okay and to do that we are going to use something that we can use freely which is a kind of a variable so let's say user ID and I'll explain is in a quick second so don't worry so this user ID is any user that we have here so these user 1 user to user 3 is a 4 and we are able to get these user ID to compare it to our to the user to the user ID of the currently logged in user and compare it and we that we are able to make decisions on whether the user can write read whatever okay so this is a really cool thing that you can use so let's simply say and in the read I forgot the point just reading it okay and let's say dot write and to write into these user ID the user must have the user ID equal to s dot u ID and as you can see it autocompletes it but if you use us that means as the the user that is currently logged in and you are able to access it a bunch of data token provider and UID in these guys we want to hear about provider and yeah this will compare both of them and if they are if they match then we'll be able to write with no problem okay and before that you should also add of different from just make sure no problems occur okay and because this works the same as for example PHP works with with where you need three equals in order for to make a comparison so two because I believe doesn't look at the type of variable or whatever so it doesn't matter just use three equals in here and you should be fine okay so now what we expect to do is as I've said we will be able to write into our cell but we won't be able to write in to any other user cell no very yet so I'm going to actually come in here and expand this a bit further I'm going to try and write to the user one with the same test set value to true and I'm going to try and get instead of getting the data of our data I'm going to get the data of the user one that way we can kill two birds with one stone and just do it with one lunch okay so let's try and run it and I forgot to publish the ad let's do it quickly okay the rules have been published and now if we come in here and try to run it it will write as you can see to our note because we are logged in with this user but it didn't write to the user one and it probably got the data that we need it so yes it got the data from the user one which is exactly what we wanted and yeah I'm going to run this again because we weren't able to see it's happening in here so let's do it flash give it a second and we must quick obviously and there we go we got the data from the user one it is exactly what we want it and so we are able to get the data that any data that is in the users knows but we are only able to write to our own no that's really cool and that's a fantastic feature that we are able to implement because otherwise without this firebase would be useless because it is completely unsecure okay so now that that's done we are going to move on to a more complicated complicated issue which is nesting and so we have one user than another and we want only want the user to be able to access the data if it matches either this one or this one okay so let's try and do it I'm first going to change how we get data I'm going to click we copy this comment it out do it again and come in here into the chat DB and here it is shut and then point child connection okay and as you can see we want to be able to come in here so I'm going to use the user to wait and user 1 and then yeah let's go with that so in the user - let's imagine we are hacker and we want to be able to get these confidential information but we aren't logged in as user to our user 1 obviously so how are we going to do it we will first try to write the child that we want so in this case would be user 2 and then followed by the user 1 okay and this is to write the value what you get the value we want in here okay and I'm going to also write 2 just to show you that it isn't possible and because this is a shat or wherever the user 1 also has the information of the user 2 okay so let's try to write get to 2 here and say - follows for example we want to delete all of the data that's inside here and here okay that's our goal let's see if we as a company that's trying to protect our project are able to defend against an attack like this ok so to do this we are going to follow the same logic that we did with the users defense line and it is really similar so let's say shout to correctly identify then we have connections I believe it is just connection yeah then we have the users so because we we can simply be because as you remember we can use variables inside the firebase rules let's try and use two variables one for the first user so user 2 in this case and one for the other user user 1 so let's say let's say user didn't want to use user ID 1 okay that can be open brackets and user ID - okay and these isn't the user the ID of the user these user 1 it is a user 1 like a general a general user 1 because as you remember these are variables and this will be applied to any and all the IDS that are in here ok so now as it can as I said we want to protect this data so we want the user to not be able to write if he isn't one of those one of these and we don't want the user to read if he isn't one of these ok so how can we do this we are going to do exactly what we did in here so let's say write and to write the user must be have enough different from no and the user ID 1 must be equal to of ID or and this is the the big one are the user 2 is equal to dissolve UID okay as simple as that and I'm going to put brackets parenthesis around this okay and do the same for the read because the read and the write will be exactly the same and that's it so let's try and polish the rules and yeah a comment is missing let's try and do it that again and the rules were published so now let's try to run the app with these settings so because we are logged in need this user we should only be able to access these these no right here or these no right here because it is the only one that will pass these tests this condition but because we are trying to access both these node and these nodes then we won't be able to do anything with what will we just wrote in here so nothing will appear and normally permission denied will appear I believe so and I hope so right so let's try and run it quicksand and this let us now shut up appeared here but the value as you can see is false we are trying to listen to user 2 and user 1 in the chat TB user 2 and these are 1 followed by user 1 as confidential equals to true so we were expecting this to appear but because our rules are in place the permission has been denied and you can see it by coming into firebase for verbose and these three lines are denying our what happened and why we weren't able to do any of this ok so as you can see the listen which is the recall it had value event listener failed because we didn't have formation and both of the rights actually felt as well because we didn't have the permission okay so now let's try to do it with our own connection so let's say these copies and place it in here and then we have user 1 I believe below it's okay so confidential it goes to true and we expect that to show up now let's do like the same here but the set value equals to like let's simply add another another shout-out in here so fast it goes to true okay now let's run it and see if we are able to actually write information and to get the information from it so let's go the write was successful that's great and if you come in here I'm going to simple firebase then the value appears to be false and that must be a mistake okay so when okay the problem is that I forgot to remove the user - before placing this in and because of that we weren't able to get the data but let's run it again and for some reason the input popped up but no problem let's send and get data and again as expected we are able to get the data because our UID is the same there's a lot do ID of the user that we are currently logged in okay so that's it I touched upon every aspect that I wanted as you can see it is really easy to write rules obviously it can get much complicated than this but you with the what I've wrote in here you are able to understand the basics of it and how it works in the most basic aspect obviously can complicate it a lot more but for now this should be a good starting point for you to write your own rules when it comes to your firebase projects okay so that was all I hope you were able to grasp some knowledge from in this video at least the minimum required to make our app that much more secure because we just knowing a bit about the firebase rules you are really to protect your app against attacks because remember it is really easy to get the compiler Java code and get access to the entire project so the user can always fall back on it and actually get your code and make the changes that well won't be good for your database and even without thinking about ecers we all make mistakes and as coders we do them every day and this is just a layer of security that you can have in order to protect yourself from future errors and yeah just make your life a bit easier in the future so that was all thank you all very much for watching [Music] Oh

Info

Channel: SimCoder

Views: 15,282

Rating: 4.9200001 out of 5

Keywords: firebase, how to secure firebase, how to secure firebase api key, firebase app, react and firebase, secure data firebase, secure firebase data, using firestore as a backend to your flutter app, firebase rules, firebase tutorial, firebase security, firebase security rules, firebase authentication, how to build apps, how to secure admob adunit, simcoder, app development, app security, android studio, uber clone, product: firebase, firebase apps, android tutorial

Id: 253Ic4syeYM

Channel Id: undefined

Length: 31min 18sec (1878 seconds)

Published: Sun Nov 25 2018