Firestore Security Rules - How to Hack a Firebase App
Рет қаралды 133,451
Күн бұрын
@Fireship 6 жыл бұрын
Hey everybody. Just in case you missed to the point... NEVER ship a Firebase app without solid rules in place first!
@patrickmullot73 6 жыл бұрын
Same goes with stackblitz. It's a wonderfull tool, but DO NOT share production API key there.
@Fireship 6 жыл бұрын
I'm sure you could scape a bunch of secret keys there
6 жыл бұрын
Very usefull Jeff, Thanks for your awesome videos
@moradabdelgaber5958 6 жыл бұрын
I'm using Role ( allow read ,write : if request.auth.uid != null ) when I logged in I get data it's ok , but when I log out the user I get the error : Missing or insufficient permissions. first I thought it was because of I didn't unsubscribe the Observable I tried (rxjs/operator/takeWhile) even I used async pipe . I got the same error please help !!!
@janoschii 6 жыл бұрын
You are allowing read and write ONLY if the request.auth.uid is not null. So!
@MatuellaSlipknot 6 жыл бұрын
Your speech is really on point and the video is so well edited (a minimalist edition like you did is awesome btw). Kudos for all the clean and straightforward explanations, 10/10.
@justserv 6 жыл бұрын
Very important video! I've been waiting for someone to create a decent intro to Firestore rules like this, and I'm glad you showed us exactly how easy it can be to do something malicious to an unsecured database. Honestly I was asking myself for months how someone might go about erasing my database, and that was an eye-opener! I love how your tutorials are straight-to-the-point; every second always has something useful in it! Keep up the awesome work!! :)
@sellyshootsandscores9300 Жыл бұрын
I loved the emphasis on “And it’s really important that you don’t mess up your back-end rules”
@goku21youtub 4 жыл бұрын
even though the title says something different , this is the most relatable firestore security rules video ive seen till now . im a noob and trying to learn the firestore system right now and this video was extrmely helpfull , well explained , not too long and not too short . Thanx alot !
@dalemoncayo 6 жыл бұрын
This is the best firebase tutorial ever. Youre amazing man!
@iMed-Med 3 жыл бұрын
Am I the only one that watched all his videos till a point where I listen to it as a podcast? Great content
@Hardikkmadaan1702 5 жыл бұрын
The best and the only video you know to protect your data on Cloud Firestore. Thanks a lot buddy!
@zoidbergZA 6 жыл бұрын
10/10 as always with this man... liked, subbed, notified
@Fireship 6 жыл бұрын
Thank you, much appreciated!
@patrickmullot73 6 жыл бұрын
AWESOME!!! That's pure added value Jeff!
@Fireship 6 жыл бұрын
Thank you! This is a very important area that seems to get overlooked way too often.
@holylambo Жыл бұрын
amazing video, i have a lot of trouble concentrating on reading the docs so this was incredibly helpful!
@MatthijsvanHest 6 жыл бұрын
Very clean video, totally explaining exactly what I needed from firebase to safely start developping. Firebase is new to me, I was concerned I can't do a lot of things I need to do and know how to do otherwise.. But your videos show otherwise, Firebase is just different, but it's all there!
@prabhursec9627 3 жыл бұрын
I was confused about this thing before watching this. But ,now everything becomes clear. Nice explanation☺️. Thank you🙂
@samadritsarkar2 3 жыл бұрын
Learnt a lot from this 3 years old vid! Thanks mate
@thijsoudeavenhuis1015 6 жыл бұрын
Hey guys, this is really good stuff. The docs on firestore are great but only cover the basis. these videos show some really clever tricks to writing more secure firebase apps.
@chordfunc3072 5 жыл бұрын
Thanks for putting so much time into making this... Always great videos and always stunning graphics, and crisp audio :D Always find my way back to your channel :)
@thitemple 5 жыл бұрын
Great content on this video and the channel overall. Thanks, I like how on point your examples are and I can't really understand how anyone would downvote a video like this...
@chngo7180 5 жыл бұрын
The upvote is you who got scared by the title for the kind of hack that might befall your database and quickly clicked on the link. The downvote is the evil doer who expected to learn how to hack in your database but won't be able to do so anymore. @Fireship Thanks for the great content!!
@bensonmwaura9494 6 жыл бұрын
DevOps take note! Always something productive to look forward to, great content.
@imacuser101 6 жыл бұрын
Keep up the good work! Your videos are always the best and to the point
@zeroblackstar 6 жыл бұрын
Great videos man, I've been looking for something in depth for a while. Will be getting myself your course/Book for sure.
@Rafael-hk9pg 3 жыл бұрын
How can you apply what is told at 9:23 for reading data? Thanks a lot!
@moibe182 Жыл бұрын
Thanks Fireship! You keep me improving at my job thanks ❤
@Rouwen87 2 жыл бұрын
This is an amazing video, answered all of my questions for my server less app I was going to make. Thank you!
@kamalkamals 6 жыл бұрын
This is the best video explain firebase operations roles, we wait to add more, thnx Jeff
@LERSHEANLIM 10 ай бұрын
OMG this video help me so much!!!!! Hope you can do more videos like this!! Keep moving on👍👍
@FidelGuajardo 5 жыл бұрын
This video content is super important and useful to me. Thank you!
@FidelGuajardo 5 жыл бұрын
Very useful content about using functions to build authentication rules. I had never seen this before.
@albertrenshaw4252 6 жыл бұрын
At 5:53 you say or-statements only check "if one of the conditions is true"; did you mean to say "if one or both of the conditions are true", or is `or` treated as XOR by firebase?
@TimeoutMegagameplays 5 жыл бұрын
Probably he meant to say if one or both of the conditions are true. You can very easily test it in the simulator if that makes any difference, you could test: allow read: if true || true;
@adriantabay97 6 жыл бұрын
Thank u! Ive learned a lot. It just so perfect because I am writing security rules on my app's firestore
@georgedicu6001 2 жыл бұрын
for the roles, I would suggest using customClaims on JWT supported by firebase auth, and its server-side.
@timsecond 4 жыл бұрын
8:22 Can I use the similar method to get data stored in Firebase Realtime Database?
@RafaelSantos-pq4od 6 жыл бұрын
Very good, keep making videos about Security rules in firestorm, there is very little material on the web ... - from Brazil
@Fireship 6 жыл бұрын
Will do, I often incorporate them into my advanced lessons. Also, I think the official Firebase team has some rules content around the corner.
@GalTadmor 6 жыл бұрын
Your timing couldn't be better. I needed something exactly like that a few hours ago. Perfect as always, thanks a bunch! Quick question: what about the database.rules.json file? Should I match it to the backend rules? If so, what's the "translation" of it to a JSON file?
@Fireship 6 жыл бұрын
Those rules apply to Realtime DB, but this video is specific to Firestore. If you run `firebase init firestore` it will generate another file to define your rules in the IDE.
@GalTadmor 6 жыл бұрын
Angular Firebase Awesome. Thank you!
@contactmsr 5 жыл бұрын
this is super important tips, i think google firebase team must have these kinds of check list in place
@dustinpatterson3534 3 жыл бұрын
Thanks so much for this video! It was a huge help!
@MuhammadbinYusrat 4 жыл бұрын
I am thinking if I am offering a service which is open for public (like a survey or something) my only option would be (as far as I understand) is to allow read write for everyone (may be restricting it to a specific collection?) but still it would be public write access... What can be done about this scenario? Because even if we add anonymous authentication, the curl request that you talked about in the beginning of your video will still contain all the data required to run it.. and can be pasted in terminal and then we're done again.. I cannot find anything on this on Google too.. may be I am missing something very obvious here.
@spl45hz 4 жыл бұрын
You could allow create and read, but no write or delete. However the biggest problem is that anybody can request as many reads and creates as he wants, which might leave you with a huge firestore bill. As long as we cant limit this behavior I suggest staying away from firestore
@spl45hz 4 жыл бұрын
Actually I ran some tests, while spamming is still possible, when an attacker spams your writes with one account as much as possible (in my test I achieved 15 writes per second with one mobile device, but without multithreading), it would cost you around 15*60*60*25/100.000 *0,18=2,33$ per day. However if an attacker could manage to attack you with 10 threads simultaneously, he can achieve a damage of around 23$ per day. Or with an small botnet which might cost around 2000$ a month or 70$ a day according to kaspersky (with around 100 active bots and assuming 10 writes per bot=1000 writes per second) would cost you around 150$ a day in damages. An attacker therefore might collect ransom from you, this happend a lot with ddos in the past and might become a problem if the app/service grows larger. One last thing I wrote 10.000 documents from the same user in a short period of time without throttling, so firestore does not automatically limit requests.
@MuhammadbinYusrat 4 жыл бұрын
@@spl45hz There has to be a workaround for this. Why isn't this happening with more people?
@georgedicu6001 2 жыл бұрын
isn't the request.time supposed to be gather than resource.data.createAt (this files is the one already existing, so it will be an update operation)? the way you've written it, means the request has to always be in the past . in this case you allow update on {productId} for the 1st 60 secs, then you always deny?
@razakadam74 6 жыл бұрын
the title scared me at first but I really enjoyed it. I am always ready to take things to the next level... :)
@Fireship 6 жыл бұрын
Haha, that was my goal :)
@TimeoutMegagameplays 5 жыл бұрын
About the timeouts, you show us how to prevent users from modifying a document, but how would I prevent someone to spam create documents? For instance, I want to limit to 10 documents a minute to be created in /users/{userId}/files/, is that possible?
@ahsath 5 жыл бұрын
you can with query.limit < 10
@ngotechy Жыл бұрын
Your video was extremely clear and informative. I just wanted to mention that I didn't quite understand the reference to episode 75 regarding user-based rules. Can you please clarify that for me?
@CardinalHijack 5 жыл бұрын
If you have your entire app hosted on one firebase project, IE hosting, firestore, cloud functions etc, is it possible to only allow requests from things on this project? So for example only allow database connections from the site hosted on your project, or only allow the database to be accessed by cloud functions on your project. In effect, just stoping random IPs from connecting to your databse or firing your functions?
@agung_laksana 5 жыл бұрын
Really Glad to find your channel since I want learn about serverless using firestore and google cloud functions One topic that I am not really confident yet is about security rules. Do you have a course about security rules ? I just only find web page about firestore security rules cookbook in your website, I mean the video version about this. Do you have one ? A pro version in your website is also ok Because it is about security, so it will be great if I can learn deeply through the video from beginner level to advanced Thank you very much for all your contents, hope you make it because I can't find a good one on the internet 😀
@tntg5 3 жыл бұрын
Hi Jeff! Thanks for this one! Do you know if there is a way to integrate AppCheck into an ionic capacitor app?
@postfixnotation9829 4 жыл бұрын
Extremely helpful and easy to understand! I have a question though which is not related to the content of this video, but let's say you wanted to ship an app to the chinese market, I assume Firebase doesn't work there, right? Is AWS Amplify or another product an appropriate alternative for this kind of issue? Thx, have a great day!
@gurucode.studio 4 жыл бұрын
Does that works for protecting videos from being watched or downloaded if the user is not subscribed or has bought the video course for example?
@godmen11 6 жыл бұрын
In the case when we want to restrict access to data that user owns: what if the userId is stolen? (request.auth.uid) Is there anything that verifies that?
@robrabbit8288 4 жыл бұрын
I guess, he needs to steal the password aswell, since u can check if the user is authenticated.
@MrLuc420 6 жыл бұрын
sweet! Exactly what I was looking for!
@robbertstapel788 2 жыл бұрын
Maybe a stupid question... but what if i am somehow able to set the uid to 1, true, or any other value as long as it's not null?
@haidarrmehsen 4 жыл бұрын
What if I need to put some validation on the data in the incoming request but the validation code needs me to define some variables and is not small code it is complex, what should I do in this case???
@PACKERSFANSheshank 5 жыл бұрын
what would happen if someone spammed my db with requests increasing my firebase bill
@nfaical3 4 жыл бұрын
I guess that what google want. Its very easy to loop with a read request.
@PACKERSFANSheshank 4 жыл бұрын
@@nfaical3 fair enough...
@TheJorge421 4 жыл бұрын
It's funny that fireship made a KZbin post( don't know how to call them) where it says they were "attacked" just like you say
@konfinoyair 5 жыл бұрын
This is not the original post, but a second revision. Anyway thank you.
@KarlSchmaltz 4 жыл бұрын
Wouldn't having the roles in the user's document be unsafe because that user can edit that document and potentially promote their role? I guess you could always check the incoming data for modifications to the roles portion of the object. Would it be better to have a separate collection that contains all of the user roles that they can't access?
@David-dw8wy Жыл бұрын
Or how about using custom claims on their auth object
@saranshagarwal2500 6 жыл бұрын
How to change rule for a particular collection. Like i have a collection by the name Test and in the collection there are documents. all documents have same fields. i want every document field must have different data.
@cigrastudio_dev 2 жыл бұрын
I want a user to only edit the data of other users if he/she clicks on their profile. How to write rules for the scenario?
@remoreacts91 6 жыл бұрын
So if I did my rules right, the curl -x command should not work right? I pressed enter and nothing happened..so I am guessing atleast that collection I tested is safe.
@williamxsp 5 жыл бұрын
What if I have a query like this.db.collection(`users`, ref => ref.where("someProperty", "==", someValue) );?
@Laithabujbara 3 жыл бұрын
Best explanation ever 👌 👏
@rudrasarkar1852 4 жыл бұрын
My question is : How can I find that products id, I guess firebase front end don’t show id of the product id to client side.
@AmitK 6 жыл бұрын
is this possible to expose credentials while using firebase with react native mobile app ?
@bono95zg 6 жыл бұрын
is it posible to only allow read if on your hosted domain?
@maheshj01 4 жыл бұрын
hey, thanks for this great video I wanted to know how can we have rules in a chat app where I have two types of roles seller and buyer and I want to prevent sellerseller or buyerbuyer communication basically I want that only sellerbuyer can communicate. Some Insights on this would be really helpful.
@deepikamadaan95 4 жыл бұрын
Hi, Kindly reply, its so urgent. I have 2 apps, 1 is for company and another one is for clients. And in both the apps, registered users are modifying data in the same collection documents. No one is the owner of any document. In that case how can I make sure that my firebase data is safe for that collection. I am just checking user is authenticated user in the rules. Please Please reply, I am very scared before publishing my apps.
@kirill4531 5 жыл бұрын
Is there any way I can limit the number of docs user can create? I have a field "owner" = "user@email.com" in a doc, and I don't want a new record if there are already 100 records with this owner.
@egamingizback444 3 жыл бұрын
How i can give to an specific user the verified badge to my app?
@Cnuggets 5 жыл бұрын
How do i navigate to two worded collections like ‘user record’ ex: match/ user record/{urId}
@Cnuggets 5 жыл бұрын
please help! I’m stuck
@yocheeseify 5 жыл бұрын
Have you figured this out?
@Cnuggets 5 жыл бұрын
@@yocheeseify you have to restructure your data, so far there is no solution for this. It's also good practice to using the naming conventions like in coding.
@yocheeseify 5 жыл бұрын
@@Cnuggets ah gotcha. Thanks for the assist!
@Cnuggets 5 жыл бұрын
The Apocalypse You are welcome. Happy Coding!
@OfferoC 6 жыл бұрын
How do you test and deploy these rules?
@adminmail6006 6 жыл бұрын
need what background music is running ... can anyone??
@moradabdelgaber5958 6 жыл бұрын
I'm using Role ( allow read ,write : if request.auth.uid != null ) when I logged in I get data it's ok , but when I log out the user I get the error : Missing or insufficient permissions. first I thought it was because of I didn't unsubscribe the Observable I tried (rxjs/operator/takeWhile) even if I used async pipe , I got the same error . please help !!!
@ThatsEli 6 жыл бұрын
You only allowed to read and write with the condition request.auth.uid != null.(Only allow when logged in)
@MrMaxBushido 5 жыл бұрын
This sounds too complicate for me, where should i go to understand how to secure my saved data?
@mateja176 6 жыл бұрын
Jeff is a legend
@SouhailELAmrani 5 жыл бұрын
this rules doesn't exist in realtime database firebase ? how can i protect my Realtime data ??
@abdulalimrajoub6063 6 жыл бұрын
Thanks man , it's awesome
@konfinoyair 6 жыл бұрын
you helped me so much. thanks
@boysattitude3283 Жыл бұрын
Agar firebase ki OTP share kar di to kya kare
@ameerattaa2250 6 жыл бұрын
hi my friend how can moniter my firestore database so that whenever a new data added by a user the admin get notification on his app
@Fireship 6 жыл бұрын
That's a good use case for a cloud function. Check out some of these lessons for ideas angularfirebase.com/tag/functions/
@ameerattaa2250 6 жыл бұрын
Angular Firebase i will thank you very much
@beneditomauroo 5 жыл бұрын
Firebase sugests using custom claims for role auth
@avilainkennefoue290 3 жыл бұрын
The real title of this video is: how to prevent your Firestore from getting hacked !
@budhanshukajla3793 4 жыл бұрын
How to get my firebase based android app's IP address?
3 жыл бұрын
Awesome, thanks!
@hojdog 6 жыл бұрын
Everybody, use *Custom Claims* for role based access, not this way.
@vid2ification 4 жыл бұрын
Just need an alternative nd functional os for Moto Z⁴... Shilltube offers no examples, and google doesn't want to show those seach results.
@jorgeriveramx 3 жыл бұрын
awesome as allways
@HungTinTrinh 3 жыл бұрын
Amazing good job!
@drmucahiderdogan 3 жыл бұрын
Great tutorial.
@akashtakawale9074 3 жыл бұрын
This is so cool !!
@joshbedo8291 4 жыл бұрын
Awesome thanks!
@tfktoufik9724 2 жыл бұрын
thanks bro you help me
@aankushchauhan 2 жыл бұрын
really helpful
@shivam-dua 4 жыл бұрын
Thank you!
@LocalDegenn 5 жыл бұрын
0:24 Savage
@adamn1973 5 ай бұрын
Super helpful
@solomonaryeetey7370 5 жыл бұрын
Just subscribed
@wesleycampos6586 6 жыл бұрын
Queria saber falar inglês para não ter que ficar usando legendas kkkkk... mas parabéns pelo seu trabalho =]
@TimeoutMegagameplays 5 жыл бұрын
kkkkk Um Brasileiro aqui
@DjWizard1991 4 жыл бұрын
12 Guys is the one who tried to hack into your apps
@أخبارالآن-ك1ش 3 жыл бұрын
Please hack code password for firebase
@yeilmusic 5 жыл бұрын
MUCH LOVE
@razakadam74 6 жыл бұрын
Wish I could have 10 - 30 mins of slack time with you.
@tonyjaradev 3 жыл бұрын
Lifesaver
@dr_rick 6 жыл бұрын
You're not teaching how to hack it, you're teaching how to secure it, everything you did to "hack" is by design. Great tutorial, I just suggest you fix the title and description of the video.
@Fireship 6 жыл бұрын
That's a fair point, but the title is tongue-in-cheek. My main goal is to emphasize that your Firebase data is vulnerable unless you secure it with rules.
@dr_rick 6 жыл бұрын
Yes, I totally understand that, Jeff. I just mean that some people might expect to learn how to secure an actual hack. Kinda of a click bait if you know what I mean. But I also think it's good to bring attention to this aspect of firestore, since it's becoming famous and it's still something new. Thanks for the response and for the video!
@TheFarijo 4 жыл бұрын
nice bait
Sam Fromaway
Рет қаралды 6 М.
James NoCode
Рет қаралды 16 М.