Android: do I really need a custom Firebase check?

Question

Android: do I really need a custom Firebase check?

I am developing an application with a function chat. I will go with Firebasefor the backend, and I do not know if I need custom authenticationin my application.

All I need from the user at logon - it Usernameand Phonenumber. I check the phone number sending sms with the code, so basically I could add the username and phone number directly to json-tree (database) when the phonenumber number is confirmed.

Is there any reason why I would need to authenticate the user using JWT? I also save the username and phone number in SharedPrefrence after checking the number.

+4

android firebase firebase-database firebase-authentication firebase-security

Chris rock Feb 09 '16 at 11:27

source share

1 answer

Chris rock · Accepted Answer · 2016-02-09T12:45:47+0000

Answer: Yes. I need individual authentication for my application, because everyone can reverse engineer and view the API URL and join them using these default rules:

{
"rules": {
    ".read": true,
    ".write": true
    }
}

If I authenticate my users with tokens (JWT) generated from the secret key, uid and other data on a trusted server (do not store the secret key in the application code), the server will not be accessible to everyone. Of course, I also need to change the security rules, so only authenticated users can access them:

{
  "rules": {
    "data": {
      "users": {
        "$user_id": {
          // grants write/read access to the owner of this user account
          // whose uid must exactly match the key ($user_id)
          ".write": "$user_id === auth.uid",
          ".read": "$user_id === auth.uid"
        }
      }
    }
  }
}

Android: do I really need a custom Firebase check?

More articles: