Restrict database access to REST API calls only

TY

unread,

Feb 22, 2017, 11:38:34 PM2/22/17

to Firebase Google Group

Hello,

My app has a lot of long form content where users retrieve a lot of text and read it for a while, staying on the same page (think Atlantic, not Twitter).

It makes no sense for the app to maintain a concurrent connection while they are reading so I want to use the REST API for information retrieval.

Given that my Firebase credentials are on the client and end points are public, anyone can create a copy of my app that will not enforce this rule and retrieve information through a real-time connection. This will quickly increase my Firebase bill and I would like to prevent that.

Is there a way to restrict access to the database through REST calls only through database security rules, so that the restriction is enforced on Firebase servers and not on the client without having to run a server (or proxy through AWS API Gateway) between client app and Firebase?

Thank you very much for any suggestions in advance!

Doug Stevenson

unread,

Feb 23, 2017, 4:42:17 PM2/23/17

to Firebase Google Group

Ty,

A couple things about what you're trying to do.

Maintaining an open connection is not expensive for your app, both in terms of battery use and billing. When you issue an HTTP request, it's likely that your HTTP client will also keep that connection open for some time in order to optimize the next request. Requests over HTTP are also going to be less efficient overall compared to the SDK's own persistent connection, which is highly optimized. Going down the path of making an HTTP request for doesn't sound like it would actually help your users at all, and in fact, probably make the user experience a little worse.

Second, user authentication is checked and enforced on the server side, not on the client side. Assuming that your security rules are configured correctly at the Firebase console, no one can really just "create a copy" of your app that chooses to bypass authentication. I wouldn't be too concerned about this sort of thing happening.

Doug

TY

unread,

Feb 24, 2017, 12:58:11 AM2/24/17

to Firebase Google Group

Hi Doug,

The data on my app will be open to be read by anyone, only authenticated users will post. So, theoretically, anyone can connect to my database and query it at will.

However, giving more thought to this and reviewing Firebase plans (somehow I got 100 connections anchored in my head, while it's not an issue as I'm on Blaze anyway) I think you have a good point in that I'm prematurely solving a problem that I might not have and in the process deteriorate my users' experience.