Firebase Database Rules Tutorial

Key Takeaways

security is a critical concern for any web application a secure app must prevent unauthorized database operations as well as validate the integrity of incoming data firebase allows you to define database security logic and a JSON file that corresponds to the structure of your database the no sequel database is essentially just a series of nodes and each node can have its own validation and security rules for example you might have some data that's accessible to everybody that visits the site or you might have some data that should only be accessed by authenticated users or other data that's only accessible to the user that created it and this lesson I'm going to go through all these different scenarios and show you how to implement these or Squier based database rules you can define firebase rules directly from your angular project or from the firebase clone form personally I prefer using the firebase console because you can send test requests to make sure that your rules are working properly there are three types of rules you can set read write and validate read controls access to data write controls the ability to create edit or delete data and validate control format of data you can use any combination of these rules together or none of them at all there's also a series of variables that give you access to firebase resources auth gives you access to the user authentication state roof gives you access to the root note of the database data gives you access to the data as it appears before the operation takes place new data shows you how the data will appear after an operation takes place now gives you the UNIX timestamp for the current time there is also a wild card variable that you can use to reference any child key throughout the database now let's run through some of the most common security scenarios Google might run into first we can just disable all security so anybody can read or write to the database we can put everything on lockdown to where nobody can redirect to the database we can limit access to only authenticated users who are currently logged in we can also limit users access to only content that they created we do this by using the wild card variable that we talked about earlier in this case we have some data as nested under a user ID so we can then reference that user ID to make sure it matches the current auth ID of the logged in user in this example we're only going to allow users who have been flagged as moderators to write data to the database we do this by first setting a moderator variable to true somewhere else in the database then we use the root variable to traverse to wherever that point is you can also use firebase rules to validate the integrity or format of incoming data in this case I'm validating that some input is a string and that it's at least one character long but less than or equal to 140 characters [Music] the now variable allows you to validate whether some data calls within a certain time frame in this case we're checking to make sure the post doesn't have a timestamp that fall at a future time you can validate that new data has certain child attributes by calling the get children function and then passing it an array of the attributes that you want to check lastly you can validate the existence or the non-existence of data before performing some kind of operation this is useful because it allows you to control whether or not a user can create update or delete some data a common pitfall with firebase rules is that once you grant access to a resource it can't be revoked somewhere further down the tree so you always want to err on the side of caution and only grant access when specific credit conditions have been met so in this example you can see that we granted access initially but then try to deny access later in the tree to only authenticated users when we run a test to this rule we see that it fails NIT grant access to the user that should not have access so when we reverse this around and deny access initially we can see that the rule then does work we send the corresponding request that's it for database rules thanks for watching [Music]