I'm using Role ( allow read ,write : if request.auth.uid != null ) when I logged in I get data it's ok , but when I log out the user I get the error : Missing or insufficient permissions. first I thought it was because of I didn't unsubscribe the Observable I tried (rxjs/operator/takeWhile) even I used async pipe . I got the same error please help !!!
Your speech is really on point and the video is so well edited (a minimalist edition like you did is awesome btw). Kudos for all the clean and straightforward explanations, 10/10.
Very important video! I've been waiting for someone to create a decent intro to Firestore rules like this, and I'm glad you showed us exactly how easy it can be to do something malicious to an unsecured database. Honestly I was asking myself for months how someone might go about erasing my database, and that was an eye-opener! I love how your tutorials are straight-to-the-point; every second always has something useful in it! Keep up the awesome work!! :)
even though the title says something different , this is the most relatable firestore security rules video ive seen till now . im a noob and trying to learn the firestore system right now and this video was extrmely helpfull , well explained , not too long and not too short . Thanx alot !
Very clean video, totally explaining exactly what I needed from firebase to safely start developping. Firebase is new to me, I was concerned I can't do a lot of things I need to do and know how to do otherwise.. But your videos show otherwise, Firebase is just different, but it's all there!
Thanks for putting so much time into making this... Always great videos and always stunning graphics, and crisp audio :D Always find my way back to your channel :)
Hey guys, this is really good stuff. The docs on firestore are great but only cover the basis. these videos show some really clever tricks to writing more secure firebase apps.
Great content on this video and the channel overall. Thanks, I like how on point your examples are and I can't really understand how anyone would downvote a video like this...
The upvote is you who got scared by the title for the kind of hack that might befall your database and quickly clicked on the link. The downvote is the evil doer who expected to learn how to hack in your database but won't be able to do so anymore. @Fireship Thanks for the great content!!
Your timing couldn't be better. I needed something exactly like that a few hours ago. Perfect as always, thanks a bunch! Quick question: what about the database.rules.json file? Should I match it to the backend rules? If so, what's the "translation" of it to a JSON file?
Those rules apply to Realtime DB, but this video is specific to Firestore. If you run `firebase init firestore` it will generate another file to define your rules in the IDE.
Your video was extremely clear and informative. I just wanted to mention that I didn't quite understand the reference to episode 75 regarding user-based rules. Can you please clarify that for me?
Really Glad to find your channel since I want learn about serverless using firestore and google cloud functions One topic that I am not really confident yet is about security rules. Do you have a course about security rules ? I just only find web page about firestore security rules cookbook in your website, I mean the video version about this. Do you have one ? A pro version in your website is also ok Because it is about security, so it will be great if I can learn deeply through the video from beginner level to advanced Thank you very much for all your contents, hope you make it because I can't find a good one on the internet 😀
Extremely helpful and easy to understand! I have a question though which is not related to the content of this video, but let's say you wanted to ship an app to the chinese market, I assume Firebase doesn't work there, right? Is AWS Amplify or another product an appropriate alternative for this kind of issue? Thx, have a great day!
At 5:53 you say or-statements only check "if one of the conditions is true"; did you mean to say "if one or both of the conditions are true", or is `or` treated as XOR by firebase?
Probably he meant to say if one or both of the conditions are true. You can very easily test it in the simulator if that makes any difference, you could test: allow read: if true || true;
I am thinking if I am offering a service which is open for public (like a survey or something) my only option would be (as far as I understand) is to allow read write for everyone (may be restricting it to a specific collection?) but still it would be public write access... What can be done about this scenario? Because even if we add anonymous authentication, the curl request that you talked about in the beginning of your video will still contain all the data required to run it.. and can be pasted in terminal and then we're done again.. I cannot find anything on this on Google too.. may be I am missing something very obvious here.
You could allow create and read, but no write or delete. However the biggest problem is that anybody can request as many reads and creates as he wants, which might leave you with a huge firestore bill. As long as we cant limit this behavior I suggest staying away from firestore
About the timeouts, you show us how to prevent users from modifying a document, but how would I prevent someone to spam create documents? For instance, I want to limit to 10 documents a minute to be created in /users/{userId}/files/, is that possible?
Wouldn't having the roles in the user's document be unsafe because that user can edit that document and potentially promote their role? I guess you could always check the incoming data for modifications to the roles portion of the object. Would it be better to have a separate collection that contains all of the user roles that they can't access?
In the case when we want to restrict access to data that user owns: what if the userId is stolen? (request.auth.uid) Is there anything that verifies that?
What if I need to put some validation on the data in the incoming request but the validation code needs me to define some variables and is not small code it is complex, what should I do in this case???
If you have your entire app hosted on one firebase project, IE hosting, firestore, cloud functions etc, is it possible to only allow requests from things on this project? So for example only allow database connections from the site hosted on your project, or only allow the database to be accessed by cloud functions on your project. In effect, just stoping random IPs from connecting to your databse or firing your functions?
isn't the request.time supposed to be gather than resource.data.createAt (this files is the one already existing, so it will be an update operation)? the way you've written it, means the request has to always be in the past . in this case you allow update on {productId} for the 1st 60 secs, then you always deny?
So if I did my rules right, the curl -x command should not work right? I pressed enter and nothing happened..so I am guessing atleast that collection I tested is safe.
hey, thanks for this great video I wanted to know how can we have rules in a chat app where I have two types of roles seller and buyer and I want to prevent sellerseller or buyerbuyer communication basically I want that only sellerbuyer can communicate. Some Insights on this would be really helpful.
How to change rule for a particular collection. Like i have a collection by the name Test and in the collection there are documents. all documents have same fields. i want every document field must have different data.
Hi, Kindly reply, its so urgent. I have 2 apps, 1 is for company and another one is for clients. And in both the apps, registered users are modifying data in the same collection documents. No one is the owner of any document. In that case how can I make sure that my firebase data is safe for that collection. I am just checking user is authenticated user in the rules. Please Please reply, I am very scared before publishing my apps.
@@yocheeseify you have to restructure your data, so far there is no solution for this. It's also good practice to using the naming conventions like in coding.
Is there any way I can limit the number of docs user can create? I have a field "owner" = "user@email.com" in a doc, and I don't want a new record if there are already 100 records with this owner.
I'm using Role ( allow read ,write : if request.auth.uid != null ) when I logged in I get data it's ok , but when I log out the user I get the error : Missing or insufficient permissions. first I thought it was because of I didn't unsubscribe the Observable I tried (rxjs/operator/takeWhile) even if I used async pipe , I got the same error . please help !!!
You're not teaching how to hack it, you're teaching how to secure it, everything you did to "hack" is by design. Great tutorial, I just suggest you fix the title and description of the video.
That's a fair point, but the title is tongue-in-cheek. My main goal is to emphasize that your Firebase data is vulnerable unless you secure it with rules.
Yes, I totally understand that, Jeff. I just mean that some people might expect to learn how to secure an actual hack. Kinda of a click bait if you know what I mean. But I also think it's good to bring attention to this aspect of firestore, since it's becoming famous and it's still something new. Thanks for the response and for the video!
Hey everybody. Just in case you missed to the point... NEVER ship a Firebase app without solid rules in place first!
Same goes with stackblitz. It's a wonderfull tool, but DO NOT share production API key there.
I'm sure you could scape a bunch of secret keys there
Very usefull Jeff, Thanks for your awesome videos
I'm using Role ( allow read ,write : if request.auth.uid != null ) when I logged in I get data it's ok , but when I log out the user I get the error : Missing or insufficient permissions. first I thought it was because of I didn't unsubscribe the Observable I tried (rxjs/operator/takeWhile) even I used async pipe . I got the same error please help !!!
You are allowing read and write ONLY if the request.auth.uid is not null. So!
Your speech is really on point and the video is so well edited (a minimalist edition like you did is awesome btw). Kudos for all the clean and straightforward explanations, 10/10.
Very important video! I've been waiting for someone to create a decent intro to Firestore rules like this, and I'm glad you showed us exactly how easy it can be to do something malicious to an unsecured database. Honestly I was asking myself for months how someone might go about erasing my database, and that was an eye-opener! I love how your tutorials are straight-to-the-point; every second always has something useful in it! Keep up the awesome work!! :)
even though the title says something different , this is the most relatable firestore security rules video ive seen till now . im a noob and trying to learn the firestore system right now and this video was extrmely helpfull , well explained , not too long and not too short . Thanx alot !
This is the best firebase tutorial ever. Youre amazing man!
The best and the only video you know to protect your data on Cloud Firestore. Thanks a lot buddy!
I loved the emphasis on “And it’s really important that you don’t mess up your back-end rules”
10/10 as always with this man... liked, subbed, notified
Thank you, much appreciated!
Am I the only one that watched all his videos till a point where I listen to it as a podcast? Great content
AWESOME!!! That's pure added value Jeff!
Thank you! This is a very important area that seems to get overlooked way too often.
Learnt a lot from this 3 years old vid! Thanks mate
amazing video, i have a lot of trouble concentrating on reading the docs so this was incredibly helpful!
Very clean video, totally explaining exactly what I needed from firebase to safely start developping. Firebase is new to me, I was concerned I can't do a lot of things I need to do and know how to do otherwise.. But your videos show otherwise, Firebase is just different, but it's all there!
DevOps take note! Always something productive to look forward to, great content.
Thanks for putting so much time into making this... Always great videos and always stunning graphics, and crisp audio :D Always find my way back to your channel :)
Thanks Fireship! You keep me improving at my job thanks ❤
Great videos man, I've been looking for something in depth for a while. Will be getting myself your course/Book for sure.
Hey guys, this is really good stuff. The docs on firestore are great but only cover the basis. these videos show some really clever tricks to writing more secure firebase apps.
Keep up the good work! Your videos are always the best and to the point
Great content on this video and the channel overall. Thanks, I like how on point your examples are and I can't really understand how anyone would downvote a video like this...
The upvote is you who got scared by the title for the kind of hack that might befall your database and quickly clicked on the link. The downvote is the evil doer who expected to learn how to hack in your database but won't be able to do so anymore. @Fireship Thanks for the great content!!
This is an amazing video, answered all of my questions for my server less app I was going to make.
Thank you!
I was confused about this thing before watching this. But ,now everything becomes clear. Nice explanation☺️. Thank you🙂
This video content is super important and useful to me. Thank you!
OMG this video help me so much!!!!! Hope you can do more videos like this!! Keep moving on👍👍
This is the best video explain firebase operations roles, we wait to add more, thnx Jeff
Very useful content about using functions to build authentication rules. I had never seen this before.
Thank u! Ive learned a lot. It just so perfect because I am writing security rules on my app's firestore
How can you apply what is told at 9:23 for reading data? Thanks a lot!
Thanks so much for this video! It was a huge help!
Very good, keep making videos about Security rules in firestorm, there is very little material on the web ... - from Brazil
Will do, I often incorporate them into my advanced lessons. Also, I think the official Firebase team has some rules content around the corner.
Your timing couldn't be better. I needed something exactly like that a few hours ago. Perfect as always, thanks a bunch!
Quick question: what about the database.rules.json file? Should I match it to the backend rules? If so, what's the "translation" of it to a JSON file?
Those rules apply to Realtime DB, but this video is specific to Firestore. If you run `firebase init firestore` it will generate another file to define your rules in the IDE.
Angular Firebase Awesome. Thank you!
for the roles, I would suggest using customClaims on JWT supported by firebase auth, and its server-side.
this is super important tips, i think google firebase team must have these kinds of check list in place
Your video was extremely clear and informative. I just wanted to mention that I didn't quite understand the reference to episode 75 regarding user-based rules. Can you please clarify that for me?
Really Glad to find your channel since I want learn about serverless using firestore and google cloud functions
One topic that I am not really confident yet is about security rules. Do you have a course about security rules ?
I just only find web page about firestore security rules cookbook in your website, I mean the video version about this. Do you have one ?
A pro version in your website is also ok
Because it is about security, so it will be great if I can learn deeply through the video from beginner level to advanced
Thank you very much for all your contents, hope you make it because I can't find a good one on the internet 😀
Best explanation ever 👌 👏
Extremely helpful and easy to understand! I have a question though which is not related to the content of this video, but let's say you wanted to ship an app to the chinese market, I assume Firebase doesn't work there, right? Is AWS Amplify or another product an appropriate alternative for this kind of issue? Thx, have a great day!
the title scared me at first but I really enjoyed it. I am always ready to take things to the next level... :)
Haha, that was my goal :)
At 5:53 you say or-statements only check "if one of the conditions is true"; did you mean to say "if one or both of the conditions are true", or is `or` treated as XOR by firebase?
Probably he meant to say if one or both of the conditions are true. You can very easily test it in the simulator if that makes any difference, you could test: allow read: if true || true;
I am thinking if I am offering a service which is open for public (like a survey or something) my only option would be (as far as I understand) is to allow read write for everyone (may be restricting it to a specific collection?) but still it would be public write access...
What can be done about this scenario? Because even if we add anonymous authentication, the curl request that you talked about in the beginning of your video will still contain all the data required to run it.. and can be pasted in terminal and then we're done again..
I cannot find anything on this on Google too.. may be I am missing something very obvious here.
You could allow create and read, but no write or delete. However the biggest problem is that anybody can request as many reads and creates as he wants, which might leave you with a huge firestore bill. As long as we cant limit this behavior I suggest staying away from firestore
@@spl45hz There has to be a workaround for this. Why isn't this happening with more people?
Hi Jeff! Thanks for this one!
Do you know if there is a way to integrate AppCheck into an ionic capacitor app?
About the timeouts, you show us how to prevent users from modifying a document, but how would I prevent someone to spam create documents? For instance, I want to limit to 10 documents a minute to be created in /users/{userId}/files/, is that possible?
you can with query.limit < 10
This is not the original post, but a second revision. Anyway thank you.
sweet! Exactly what I was looking for!
8:22 Can I use the similar method to get data stored in Firebase Realtime Database?
Does that works for protecting videos from being watched or downloaded if the user is not subscribed or has bought the video course for example?
Wouldn't having the roles in the user's document be unsafe because that user can edit that document and potentially promote their role? I guess you could always check the incoming data for modifications to the roles portion of the object. Would it be better to have a separate collection that contains all of the user roles that they can't access?
Or how about using custom claims on their auth object
I want a user to only edit the data of other users if he/she clicks on their profile. How to write rules for the scenario?
what would happen if someone spammed my db with requests increasing my firebase bill
I guess that what google want. Its very easy to loop with a read request.
@@nfaical3 fair enough...
It's funny that fireship made a UA-cam post( don't know how to call them) where it says they were "attacked" just like you say
In the case when we want to restrict access to data that user owns: what if the userId is stolen? (request.auth.uid) Is there anything that verifies that?
I guess, he needs to steal the password aswell, since u can check if the user is authenticated.
Maybe a stupid question... but what if i am somehow able to set the uid to 1, true, or any other value as long as it's not null?
you helped me so much. thanks
What if I need to put some validation on the data in the incoming request but the validation code needs me to define some variables and is not small code it is complex, what should I do in this case???
If you have your entire app hosted on one firebase project, IE hosting, firestore, cloud functions etc, is it possible to only allow requests from things on this project? So for example only allow database connections from the site hosted on your project, or only allow the database to be accessed by cloud functions on your project. In effect, just stoping random IPs from connecting to your databse or firing your functions?
isn't the request.time supposed to be gather than resource.data.createAt (this files is the one already existing, so it will be an update operation)?
the way you've written it, means the request has to always be in the past .
in this case you allow update on {productId} for the 1st 60 secs, then you always deny?
My question is : How can I find that products id, I guess firebase front end don’t show id of the product id to client side.
is it posible to only allow read if on your hosted domain?
So if I did my rules right, the curl -x command should not work right? I pressed enter and nothing happened..so I am guessing atleast that collection I tested is safe.
hey, thanks for this great video I wanted to know how can we have rules in a chat app where I have two types of roles seller and buyer and I want to prevent sellerseller or buyerbuyer communication basically I want that only sellerbuyer can communicate. Some Insights on this would be really helpful.
How do you test and deploy these rules?
is this possible to expose credentials while using firebase with react native mobile app ?
What if I have a query like this.db.collection(`users`, ref =>
ref.where("someProperty", "==", someValue)
);?
This sounds too complicate for me, where should i go to understand how to secure my saved data?
Awesome, thanks!
this rules doesn't exist in realtime database firebase ? how can i protect my Realtime data ??
Thanks man , it's awesome
How to change rule for a particular collection.
Like i have a collection by the name Test and in the collection there are documents. all documents have same fields. i want every document field must have different data.
How i can give to an specific user the verified badge to my app?
need what background music is running ... can anyone??
Hi,
Kindly reply, its so urgent.
I have 2 apps, 1 is for company and another one is for clients.
And in both the apps, registered users are modifying data in the same collection documents. No one is the owner of any document. In that case how can I make sure that my firebase data is safe for that collection.
I am just checking user is authenticated user in the rules.
Please Please reply, I am very scared before publishing my apps.
Firebase sugests using custom claims for role auth
thanks bro you help me
How do i navigate to two worded collections like ‘user record’ ex: match/ user record/{urId}
please help! I’m stuck
Have you figured this out?
@@yocheeseify you have to restructure your data, so far there is no solution for this. It's also good practice to using the naming conventions like in coding.
@@Cnuggets ah gotcha. Thanks for the assist!
The Apocalypse You are welcome. Happy Coding!
Jeff is a legend
Is there any way I can limit the number of docs user can create?
I have a field "owner" = "user@email.com" in a doc, and I don't want a new record if there are already 100 records with this owner.
Agar firebase ki OTP share kar di to kya kare
hi my friend
how can moniter my firestore database so that whenever a new data added by a user the admin get notification on his app
That's a good use case for a cloud function. Check out some of these lessons for ideas angularfirebase.com/tag/functions/
Angular Firebase i will thank you very much
How to get my firebase based android app's IP address?
Thank you!
Awesome thanks!
I'm using Role ( allow read ,write : if request.auth.uid != null ) when I logged in I get data it's ok , but when I log out the user I get the error : Missing or insufficient permissions. first I thought it was because of I didn't unsubscribe the Observable I tried (rxjs/operator/takeWhile) even if I used async pipe , I got the same error . please help !!!
You only allowed to read and write with the condition request.auth.uid != null.(Only allow when logged in)
Great tutorial.
Amazing good job!
Everybody, use *Custom Claims* for role based access, not this way.
Queria saber falar inglês para não ter que ficar usando legendas kkkkk... mas parabéns pelo seu trabalho =]
kkkkk Um Brasileiro aqui
really helpful
This is so cool !!
awesome as allways
0:24 Savage
Just need an alternative nd functional os for Moto Z⁴... Shilltube offers no examples, and google doesn't want to show those seach results.
Super helpful
The real title of this video is: how to prevent your Firestore from getting hacked !
MUCH LOVE
Just subscribed
Please hack code password for firebase
Lifesaver
Wish I could have 10 - 30 mins of slack time with you.
12 Guys is the one who tried to hack into your apps
You're not teaching how to hack it, you're teaching how to secure it, everything you did to "hack" is by design. Great tutorial, I just suggest you fix the title and description of the video.
That's a fair point, but the title is tongue-in-cheek. My main goal is to emphasize that your Firebase data is vulnerable unless you secure it with rules.
Yes, I totally understand that, Jeff. I just mean that some people might expect to learn how to secure an actual hack. Kinda of a click bait if you know what I mean. But I also think it's good to bring attention to this aspect of firestore, since it's becoming famous and it's still something new.
Thanks for the response and for the video!
nice bait