JAVEBRATT

Ionic Framework Tutorials

Header Right

Main navigation

Learn how to secure your Firebase database when building Ionic apps

by 6 Comments

Last updated on July 2nd, 2017 |

We’re going to start preparing our app to go public, so the first thing we’ll need to do is update our security rules on the server, we don’t want people connecting to the app and having access to someone else’s data.

Database Security

There’s a comprehensive guide about security rules in Firebase Docs and I’ve kept them really simple for this app because I do believe that if you structure your data correctly they don’t need to be hard.

So, to structure your security rules, you’ll need to go to your firebase console:

console.firebase.google.com/project/YOURAPPNAMEHERE/database/data

By default the rules are there to allow access to only authenticated users:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

We need to set them so it also checks that the user trying to access the information is the correct user

{
  "rules": {
    "userProfile": {
      "$uid": {
        ".read": "auth != null && $uid === auth.uid",
        ".write": "auth != null && $uid === auth.uid"
      }
    }
  }
}

There we are saying that under the userProfile node there’s going to be a variable called uid, when you add the $ sign in here it takes the value as a variable.

And we are saying that for a user to have read or write permissions under that node, their auth.uid needs to match the $uid variable.

In here auth is a variable that holds the authentication methods/properties.

There we ensure that only the user who owns the data can write/read it.

Storage Security

You should also set up rules for Firebase Storage, that way you can protect your users’ files.

You’ll need to go to:

console.firebase.google.com/project/YOURAPPGOESHERE/storage/rules

And this looks a bit different:

// Grants a user access to a node matching their user ID
service firebase.storage {
  match /b/bill-tracker-e5746.appspot.com/o {
    // Files look like: "user/<UID>/path/to/file.txt"
    match /{userId}/{allPaths=**} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}

It first looks that I’m pointing at the current cloud storage bucket, then that the user who uploaded the file is the only one who can read/write that file.

Next Steps

  • Pingback: Ionic 2 and Firebase 3: 5 hacks to keep in mind when building your new app()

  • tapir

    Ok, I have fixed that by adding explicitly
    export class EventCreatePage {
    public eventName: string;
    public eventDate: string;
    public eventPrice: number;
    public eventCost: number;

    • fixed what?

      • tapir

        [12:40:16] Error: Error at
        eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:636:40
        [12:40:16] Property ‘eventName’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:648:41
        [12:40:16] Property ‘eventPrice’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:660:41
        [12:40:16] Property ‘eventCost’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:677:41
        [12:40:16] Property ‘eventDate’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:892:43
        [12:40:16] Property ‘eventName’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:897:43
        [12:40:16] Property ‘eventPrice’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:902:43
        [12:40:16] Property ‘eventCost’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:907:43
        [12:40:16] Property ‘eventDate’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:922:67
        [12:40:16] Property ‘eventName’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:922:90
        [12:40:16] Property ‘eventDate’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:922:113
        [12:40:16] Property ‘eventPrice’ does not exist on type ‘EventCreatePage’.
        [12:40:16] Error at eventTutorial/.tmp/pages/event-create/event-create.ngfactory.ts:922:137
        [12:40:16] Property ‘eventCost’ does not exist on type ‘EventCreatePage’.
        [12:40:16] ngc failed
        [12:40:16] ionic-app-script task: “build”
        [12:40:16] Error: Error

  • Total Beginner

    The example above uses Jorge’s own “firebase storage bucket”
    match /b/bill-tracker-e5746.appspot.com/o {

    It must be changed to whatever your storage bucket url is:

    match /b//o {

  • Total Beginner

    Somehow Firebase storage rule “allow read, write: if request.auth.uid == userId;” does not allow image upload from the app (as tested from Ionic view).

    But when “if request.auth != null;” is used, images can be uploaded.