security

API Versioning Trick for Firebase

Many people make the mistake of thinking that Firebase is simply a way to sync data between devices. Without digging any deeper, you might think it's a bit of a one-trick pony. Anyone that's ever seen a demonstration of Firebase, will know that Firebase is way more than this. Firebase…

Firebase Security Rules Proposal : Restricted IP Addresses

If you're using backend processors with Firebase, you probably know not to be authenticating the server with your Firebase secret. Instead you should be using custom tokens. Many people, ahem, use custom tokens with an "admin" : true flag in the payload. With the admin flag, Firebase ignores all security rules…

Ensuring Unique Mobile Numbers with Firebase

SUBTITLE : Without getting Snapchatted. Credits: This workflow is based on a Stackoverflow answer from Kato. Quite often, an online service's signup process requires the user to enter their mobile number. They need to make sure the user owns the number and will usually verify it via SMS. However, they can't…

Firebase Validation Rules Proposal

A while back, I wrote about problems with performing validation with Firebase. In an email exchange with Firebase, the representative indicated that providing more information was a security risk. I can see some logic in that, but I don't really agree with it. Firebase just responding with "PERMISSION_DENIED" is…

Firebase Rate Limiting Proposal

I was digging around trying to find some means to do rate limiting on Firebase references. I found this answer on StackOverflow that describes a method to do it. At first blush, I assumed this only works for a client that respects the rules and writes to last_message faithfully…