i am building a chat android app that allows users to chat where users can create account and use all the features. It's about to be completed but there's a problem, actually a question.
Is firebase on android safe ?
In my firebase database, i have created a rule as follow:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
Now, this rule will reject any non authenticated users from accessing the data and pushing data or deleting any of it. But, when user creates an account on my chat app, he/she will be authenticated and my app will allow to make modifications. What if they reversed engineered the app and changed some of the codes and pushed invalid datas or removed some of the values from database coz they are already authenticated ?? How can i prevent that ?
When user creates account in my app i use:
auth.createUserWithEmailAndPassword(email, password)
.addOnCompleteListener(RegisterActivity.this, new OnCompleteListener<AuthResult>() {
This will create a new chat user for the app. So, user is creating his/her own account and they know the credentials and everything. I am so confused, how can i prevent them from editing my codes ?
You can't prevent malicious clients from executing whatever code they want against your Firebase project. Someone will always find a way to compromise your app at runtime on a device that you can't fully control.
The way to protect your data is through sophisticated security rules that:
Requires users to be authenticated (as you already have)
Decide which users can read and write to which locations in your database
Reject invalid data from being written
This requires a fair amount of thought and effort. You can start with the documentation to learn more.
Please also read this question on Quora for some more ideas.
Related
I'm working with telegram bot and i have this method to get user messages.
I need to find a way to get a link to the user who send this message
I saw there are this method, but i dont know how to connect them to a "link" to a profile
#Override
public void onUpdateReceived(Update update) {
update.getMessage().getFrom();
// i have: getFirstName(), getLastName() - not helping
// i have also getId() - but its a number how do i convert it to a link to telegram profile ?
}
Having username is optional on Telegram, setting it up means other people will be able to contact the user without knowing their phone number. Only users that chose their username in Telegram settings have a profile link, and the link is of the form https://t.me/<username>.
For ordinary messages, you can get the username via update.getMessage().getFrom().getUsername() and use it to create profile links, however, note that for many users this value will be empty (meaning they don't have a profile link).
Also, if you keep database of chat IDs, you can get usernames of the users via getChat Telegram API call. This can be useful because while usernames can be changed by the user any time (meaning their profile link will also change), chat ID of the user is constant over time and the getChat method will always provide you with the most recent information.
I work on chat app one to one chat and my database structure is
"rules": {
"Messages" :{
"$chatId" : {
".read": "root.child('Chat_members').child(chatId).child(auth.uid).exists()",
".write": "root.child('Chat_members').child(chatId).child(auth.uid).exists()"
}
I want to implement delete message so if user1 delete message i will hide it and display it only for user2 ,i can do this from client side but it is very inefficient way to request all data where there is for example just one message that will display for user1 how to do this from firebase rules? can I find any help?
As the documentation says security rules don't filter data. Instead you need to ensure that the client only reads the data you want to show.
I don't seen an easy way to do that to your structure without adding more data. In fact, the simplest way I can think of is to simply replicate the chat for each user and then actually delete the message from their data structure when needed.
This is a pretty generic question, but any advice is appreciated.
I am writing an Ionic2 app that uses Firebase Authentication.
A user can sign up to the app. A verification email is sent to the user's email address. If the user verifies their email, they can access the app.
However, if a user does not verify their email, for example if they signed in with the incorrect email address, then the email will never be verified. In such a case, the incorrectly registered email address sits on the Firebase database redundantly, or if the valid user tries to signup with that email, they get a message that that email address belongs to the original provider (Facebook, Google or plain email), and cannot sign up as a different provider.
As you can see, the above situation can potentially block a user from registering their email address.
I have tried to delete the Firebase account when the user comes to sign in so they start afresh as I do have the matching uid. However, I don't think the AngularFire2 api allows a Firebase account to be deleted by uid. See here.
Can either suggest:
How to delete the account by uid, or
Another design I can use to resolve this issue.
Thanks you
UPDATE
Thank you for the advise below. I have a Java server which I would like to do the Firebase Admin management of users.
I have found Java documentation on how to initialize Firebase Admin. e.g.
public void initialize() {
String keyPath = "/appname-123456-firebase-adminsdk-eknji-3071d579f5.json";
InputStream serviceAccount;
ClassLoader loader = Thread.currentThread().getContextClassLoader();
serviceAccount = loader.getResourceAsStream(keyPath);
// serviceAccount = new FileInputStream(keyPath);
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredential(FirebaseCredentials.fromCertificate(serviceAccount))
.setDatabaseUrl("https://appname-123456.firebaseio.com").build();
FirebaseApp app = FirebaseApp.initializeApp(options);
FirebaseAuth auth = FirebaseAuth.getInstance();
FirebaseDatabase database = FirebaseDatabase.getInstance();
}
I can find Node.js documentation on how to manage users. But how do you do this in Java? i.e. How do I delete a user by uid?
UPDATE
Looks like you need to create a custom token with the uid. See here.
How do you do the following in Java?
admin.auth().deleteUser(uid)
.then(function() {
console.log("Successfully deleted user");
})
.catch(function(error) {
console.log("Error deleting user:", error);
});
UPDATE
I don't think it is possible to manage accounts in Java. I think the custom token needs to be passed back to the client, and then used to sign in for that user. see here.
There are three ways to delete a Firebase Authentication account:
from the Firebase Authentication console.
by calling delete() on the signed in user from the app.
by calling deleteUser() from the Admin SDK.
It sounds like you're looking for option 3. This requires that you run a trusted process that deletes the extraneous users. Don't try to run this code in your actual app, since that would open up a security that allows all your app's users to delete each other's account.
I need for one of my apps to update a database on my server (likes, comments, etc...) and I thought that the only way to disabilitate bots to update it constantly is through making the user create an account and via java ask for a php script on the server side to update the records, but I don't know how to get the app to understand if a user is logged in or not...
Do you have any ideas that could help me? Thank you
In your user table add two extra column device id and token. when a
user is logged in first time generate a random token and send it to
the app and update your database.In app store that token in
persistence. every time when app starts send that token to server if
token matches with db token that means u r logged in, else not.for
logout send null or zero to server. Try with this.
I am developing a web application that needs to prevent multiple login using the same user name and password concurrently.
If it happens on the same machine then we need to do something with the user session, but it should also prevent if they are login on different machines using the same user name and password.
What can be the best approach :-
1) should i store the user session,credentials,and IPAddress of the machine in the DB.
2) should we use the session tracking mechanism in the application itself.If so what is the best approach?
Also , We have to keep following things in mind:
1) If user close the browser without logout.
2) If session times out.
Hope it clears the question.
Besdies data base hits (which could fail if your server is broguth down without updating db) : A data base friendly way is not to hit the data base for every re login or you could get denial of service attacks that brig you dowm. Instead implement a session listener in J2EE and check if same user is logged in by looking up the user id in a cache.
If you have more than one app node then need a distributed cache with a time out same as session time out in web.xml.
Simply have a field in your database that has text that says online or offline for each user, according to whether they are logged in or not. So when someone tries to log in with that username, check the database if the field says online for that given user on submit. If the field says online, don't allow log in. Otherwise permit it.
without using a database
you can store if a user is online in a text file
$check= "onlineCheck.txt";
$fh = fopen($check, 'a') or die("can't open file");
$nowOnline= "USER678 \n";
fwrite($fh, $nowOnline);