Re: Firebase anonymous login: how to secure own (a...

Cubic · 04-14-2022 02:58 AM

I develop small web chat app. App store conversation in Firebase and display firebase record data on webpage.
When user open website - JS start new anonymous connection to Firebase and create new chat conversation record. How i can tune up Firebase secure rules for avoid read documents for another (anonymous) connections? I need secure conversation record content only for current anonymous connection and backend application.

Darrell_M

Hi,
Which database solution are you using for your chat app?
Regardless of your solution, please refer to this[1] page for our best practices when it comes to avoiding insecure rules.

Can you confirm that you are following the steps for enabling Anonymous Authentication from this page[2]?

From my research in the Firebase docs[2], when you use the "signInAnonymously" method, the observer registered in the "onAuthStateChanged" you can get the anonymous user's account data from the User object, which includes the UID.

In addition, I found this relevant post[3] to secure your Firebase Realtime Database with rules when you have Anonymous Sign in.

I hope you find this information useful.

[1] https://firebase.google.com/docs/rules/insecure-rules#access_for_any_authenticated_user
[2] https://firebase.google.com/docs/auth/web/anonymous-auth#authenticate-with-firebase-anonymously
[3] https://medium.com/@skytreasure/easy-way-to-secure-firebase-realtime-database-with-rules-when-you-ha...

Firebase anonymous login: how to secure own (anonymous connection) records?