Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Security&RulesQuickstartFirebase
5 MINUTE QUICKSTART
.read
, and
.validate
Rule
Description
Type
.read
.write
https://www.firebase.com/docs/security/quickstart.html
1/6
15/3/2016
Security&RulesQuickstartFirebase
.validate
Defines what a correctly formatted value will look like, whether it has child
attributes, and the data type.
Security and Firebase Rules have a JavaScript-like syntax which makes them
easy to work with. By default, your app has rules which grants every request full
read and write permissions to your database:
1.
2.
3.
4.
5.
6.
{
"rules": {
".read": true,
".write": true
}
}
Security and Firebase Rules live on the Firebase servers and are enforced at
all times. Every read and write request will only be completed if your rules allow
it. With the default rules above, all requests will be permitted.
SECURITY BEHIND THE SCENES
Firebase handles many other security details for you. Specifically, we use
strong 2048 bit keys for our SSL certificates, sign authentication tokens
with SHA256 HMAC signatures, and use BCrypt for password storage.
Description
2/6
15/3/2016
Security&RulesQuickstartFirebase
The current time in milliseconds since Linux epoch. This works particularly
now
root
attempted operation. It includes the new data being written and existing
data.
data
attempted operation.
$variables
auth
These variables can be used anywhere in your Security and Firebase Rules. For
example, the security rules below ensure that data written to the
/foo/
node
{
"rules": {
"foo": {
// /foo is readable by the world
".read": true,
https://www.firebase.com/docs/security/quickstart.html
3/6
15/3/2016
Security&RulesQuickstartFirebase
6.
7.
8.
9.
10.
11.
12.
13.
14.
{
"messages": {
"message0": {
"content": "Hello",
"timestamp": 1405704370369
},
"message1": {
"content": "Goodbye",
"timestamp": 1405704395231
},
...
}
}
variables in rules which represent dynamic child keys. In addition, we can use
.validate
$message
1.
2.
/messages/
node's children:
{
"rules": {
https://www.firebase.com/docs/security/quickstart.html
4/6
15/3/2016
Security&RulesQuickstartFirebase
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
"messages": {
"$message": {
// only messages from the last ten minutes can be read
".read": "data.child('timestamp').val() > (now - 600000)",
auth
variable
in your Security and Firebase rules. This variable contains the user's auth
payload, which includes that user's unique identifier ( uid ), and the name of the
provider they logged with. Built-in providers also add provider-specific fields to
auth
, such as the user's name. If you implement a custom login provider, you
uid
users
values for every user. If you wanted to restrict access to this data
such that only the logged-in user can see their own data, your rules would look
something like this:
1.
2.
{
"rules": {
https://www.firebase.com/docs/security/quickstart.html
5/6
15/3/2016
Security&RulesQuickstartFirebase
3.
4.
5.
6.
7.
8.
9.
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid"
}
}
}
}
Next Steps
This just gave you a quick summary of the basics of Firebase security and told
you what is possible with the flexible Security and Firebase rules. Continue
reading on through the rules guide for more detailed explanations and many
more example rules. You can also check out the full Security and Firebase Rules
API documentation.
https://www.firebase.com/docs/security/quickstart.html
6/6