Secure Your Firebase: Database Rules and Client Authentication

Niyi — Mon, 19 Jun 2023 19:56:26 +0000

Secure Your Firebase: Database Rules and Client Authentication

Introduction

As a member of the engineering team, one of our most important responsibilities is securing both internal and external data.
It is crucial to ensure that your Firebase databases are secure and protected from unauthorized access.

Understanding Firebase Database Rules

What are Firebase Database Rules?

Firebase makes developers' lives easier by providing a NoSQL cloud database solution that synchronizes data across all clients in realtime, while remaining available even when the app goes offline. \
Firebase Database Rules allow you to define access control and validation logic for your Firebase databases. These rules determine who can read or write data to your database and help protect your data from unauthorized access.

How Database Rules Work

Firebase Database Rules are written in a JSON-like syntax and are evaluated in order for each database request. The rules define conditions that must be met for a request to be allowed or denied. By properly configuring these rules, you can control access at various levels, such as the database root, specific nodes, or individual fields.

Example:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

Defining Secure Database Rules

To ensure the security of your Firebase database, it is important to follow certain best practices:

Limit read and write access to only authorized users or user groups.\
For example:\

allow read: if request.auth != null;
Within your app/client, use Firebase Authentication to authenticate users before granting access.
Implement validation rules to ensure the integrity of the data being written.
Be cautious while using wildcard or recursive rules and only use them when necessary.

{
  "rules": {
    "items": {
      "$itemId": {
        ".validate": "newData.isString() && newData.val().length <= 100"
      }
    }
  }
}

example of a validation rule that checks for a valid date

Implementing Database Rules Example

Checkout fireship.io's recipes for writing simple and complex rules
https://fireship.io/snippets/firestore-rules-recipes/

Client Authentication for Firebase Databases

Why Client Authentication is Important

Client authentication plays a vital role in securing your Firebase databases. By authenticating client connections, you can ensure that only authorized users can access your database, thereby preventing unauthorized data manipulation or leakage.

Firebase Authentication

Firebase provides a robust authentication system that supports various authentication providers, including email/password, Google, Facebook, and more. By integrating Firebase Authentication into your application, you can authenticate users and obtain unique user identifiers, which can be used for controlling database access.\
https://firebase.google.com/docs/auth

Best Practices for Client Authentication

Always use secure authentication methods, such as email/password, OAuth, or federated identity providers.
Implement appropriate security measures, such as enabling two-factor authentication (2FA) for admin users.
Regularly review and update your authentication system to incorporate the latest security practices.

Conclusion

Securing your Firebase databases is essential to protect sensitive data, maintain user trust and adhere to federal security guidelines. By following the guidelines provided in this blog post, you can establish robust database rules and authenticate client connections effectively.

Set up automated deployments with Google Cloud Run and Gitlab

Niyi — Fri, 07 May 2021 20:03:45 +0000

Let's look at how we can set up a continuous delivery pipeline for our Google Cloud Run projects with Gitlab CI/CD

Prerequisites
Google Cloud Run:

Cloud Run is a serverless, managed compute platform that enables you to run stateless containers that are invocable via web requests or Pub/Sub events.
To run a Cloud Run service, you need to:

Have a Google Project

Enable Cloud Run API

Enable Cloud Build API

Gitlab:

GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking, and continuous integration and deployment pipeline features, using an open-source license, developed by GitLab Inc.
You can create a Gitlab project here: New Gitlab project

Clone sample repo here:
https://gitlab.com/niyi/myhelloworldapp

Step 1a: Enable Service Account
A service account is a special kind of account used by an application to make authorized API calls on the GCP platform.
On your Google Cloud project, navigate through Cloud Build > Settings.
Under Service account permissions, make sure both Cloud Run and Service Accounts are enabled
Step 1b: Create a Google Service Account
We'll create a new service account for your application to use

On your Google Cloud project, navigate through IAM & Admin > Service Accounts > Click on CREATE SERVICE ACCOUNT
Give your new service account any name you want and click CREATE
Add the following roles to your service account by clicking Select Role input under task number 2
1. Cloud Build Service Agent
2. Service Account User
3. Cloud Run Admin
4. Project Viewer
Click Create then click Done to add the account.
Generate a credential file for this account by navigating to the newly created service account > Keys > Click on Add Key > Create New Key. Select JSON and click CREATE

Step 2: Setup Gitlab CICD variables
In this step, we'll create variables that we'll use in our code. One for the GCP Project ID and another for the Service Account we created earlier

Navigate to the project repository on Gitlab > Settings > CI/CD
To add a variable, under the Variables section, click the Expand button and click on Add Variable We need to add two variables, one names GCP_PROJECT_ID with the value of our GCP Project ID and the other named GCP_SERVICE_ACCOUNT for the content of the JSON we downloaded earlier

Step 3: Setup Application code
We need to configure our code to connect to Gitlab CI/CD. We'll also use Docker to containerize our application so it runs the same across multiple platforms.

We've added a Dockerfile in our application that will run on PORT 8080, which is Google Cloud Run's default port
We've also added a .gitlab-ci.yml file which is the file the triggers our CI/CD pipeline on Gitlab *

# File: .gitlab-ci.yml
variables:
  SERVICE_NAME: "myHelloWorldApp"

deploy:
  stage: deploy
  only:
    - master # This pipeline stage will run on this branch alone

  image: google/cloud-sdk:latest # We'll use Google Cloud SDK for Cloud Run related commands
  script:
    - echo $GCP_SERVICE_ACCOUNT > gcloud-service-key.json # Save Google cloud contents in a temporary json file
    - gcloud auth activate-service-account --key-file gcloud-service-key.json # Activate your service account
    - gcloud auth configure-docker # Configure docker environment
    - gcloud config set project $GCP_PROJECT_ID #Set the GCP Project ID to the variable name
    - gcloud builds submit --tag gcr.io/$GCP_PROJECT_ID/$SERVICE_NAME #Run the gcloud build command to build our image
    - gcloud run deploy $SERVICE_NAME --image gcr.io/$GCP_PROJECT_ID/$SERVICE_NAME --region=us-east4 --platform managed --allow-unauthenticated # Run the gcloud run deploy command to deploy our new service

Replace the SERVICE_NAME value with the desired name for your application and save the changes.

At the end of the file, we're running the commands gcloud build and gcloud run deploy to build and deploy our application respectively.

Push your changes to the remote Gitlab repository and watch as your new baby is created.

To monitor the progress of your deployment on Gitlab navigate to CI/CD > Pipelines and click on the latest job.
To see your new application on Cloud Run, navigate to GCP > Cloud Run and search for the name of the service

Congratulations!

Forem: Niyi

Secure Your Firebase: Database Rules and Client Authentication