Learn how to secure your Firebase database when building Ionic apps

Last updated on May 31st, 2017 |

We’re going to start preparing our app to go public, so the first thing we’ll need to do is update our security rules on the server, we don’t want people connecting to the app and having access to someone else’s data.

Database Security

There’s a comprehensive guide about security rules in Firebase Docs and I’ve kept them really simple for this app because I do believe that if you structure your data correctly they don’t need to be hard.

So, to structure your security rules, you’ll need to go to your firebase console:

console.firebase.google.com/project/YOURAPPNAMEHERE/database/data

By default the rules are there to allow access to only authenticated users:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

We need to set them so it also checks that the user trying to access the information is the correct user

{
  "rules": {
    "userProfile": {
      "$uid": {
        ".read": "auth != null && $uid === auth.uid",
        ".write": "auth != null && $uid === auth.uid"
      }
    }
  }
}

There we are saying that under the userProfile node there’s going to be a variable called uid, when you add the $ sign in here it takes the value as a variable.

And we are saying that for a user to have read or write permissions under that node, their auth.uid needs to match the $uid variable.

did you finish the book? If you want to upgrade to the PREMIUM package use the link below to discount what you already paid for the BASIC package. Check out the discount here.

did you finish the book? If you want to upgrade to the PREMIUM package use the link below to discount what you already paid for the COMPLETE package. Check out the discount here.

Follow @javebratt

In here auth is a variable that holds the authentication methods/properties.

There we ensure that only the user who owns the data can write/read it.

Storage Security

You should also set up rules for Firebase Storage, that way you can protect your users’ files.

You’ll need to go to:

console.firebase.google.com/project/YOURAPPGOESHERE/storage/rules

And this looks a bit different:

// Grants a user access to a node matching their user ID
service firebase.storage {
  match /b/bill-tracker-e5746.appspot.com/o {
    // Files look like: "user/<UID>/path/to/file.txt"
    match /{userId}/{allPaths=**} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}

It first looks that I’m pointing at the current cloud storage bucket, then that the user who uploaded the file is the only one who can read/write that file.

did you finish the book? If you want to upgrade to the PREMIUM package use the link below to discount what you already paid for the BASIC package. Check out the discount here.

did you finish the book? If you want to upgrade to the PREMIUM package use the link below to discount what you already paid for the COMPLETE package. Check out the discount here.

Follow @javebratt