Firebase is a great platform for developing rich mobile and web applications by leveraging the power and scale of the Google Cloud Platform. Firebase provides a wide range of composable backend services and SDKs that help developers overcome numerous challenges in app development including user authentication, data storage, notification delivery, and more.
In addition to the services and the SDKs, Firebase also offers security rules -- a powerful mechanism that helps enforce the security and logical correctness of your apps. The backend services use security rules to authorize and validate the requests made by client apps, and make sure they adhere to the policies that app developers have put in place. Today, you can use security rules to govern how your users interact with the Firebase Realtime Database, Cloud Storage, and Cloud Firestore. Rules in these Firebase products help you achieve two critical goals:
If you're using any Firebase product mentioned above, rules are essential. But you may have questions about how they fit into your application architecture. In order to shed some light on this subject, we'd like to share a few tips related to security rules and the Admin SDK.
As you explore security rules in depth, you will eventually discover that requests from the Firebase Admin SDK are not gated by rules. The Admin SDK is initialized with a service account, which gives the SDK full access to your data. In Firebase Realtime Database, you can scope the Admin SDK's privileges to a user ID, and enforce rules as usual. But other products, most notably Google Cloud Firestore, don't support this feature yet. You should be mindful about that when implementing server-side data access operations.
Because of the elevated privileges of service accounts and the Admin SDK, you should also make sure that they only get deployed in environments that you trust with administrative control of your project. Typical environments include servers controlled by the developers, and managed cloud environments like Google Cloud Functions and App Engine. On the other hand, end-user devices and web browsers where the application code is open for modification are inherently untrusted, and the Admin SDK should never be deployed in them.
Many applications have data that is critical to the operation of the app, but should never be modified by the users. Consider a forum app that promotes user engagement by awarding its participants points (think StackOverflow). Each forum post needs to be scored in near real-time so the users can track their progress, but the users themselves should never be able to change anyone's points, not even their own.
The simplest way to protect such application-managed data is to specify a rule that prevents all writes to the data from the users.
service cloud.firestore { match /databases/{database}/documents { function isAuthorized() { // Some function that grants users read access. } match /scores/{uid}/{document} { allow write: if false; // Nothing gets past me (except Admin of course). allow read: if isAuthorized(); // Grant read access as necessary. } } }
Then you can use the Admin SDK to implement backend services that keep the data up-to-date. For instance, you can implement a serverless function using Cloud Functions for Firebase that automatically executes whenever a user posts something in the forum. This function can determine how many points to award the user, and update the respective entries in the read-only scores collection.
scores
import * as admin from 'firebase-admin'; admin.initializeApp(); export const updateScores = functions.firestore.document('posts/{userId}/{postId}') .onCreate((snapshot, context) => { const score = calculateScore(snapshot); const userId = context.params.userId; const doc = admin.firestore().collection('scores').document(userId); return admin.firestore().runTransaction((txn) => { return txn.get(doc).then((snap) => { const current = snap.data().total || 0; txn.set(doc, {total: current + score}, {merge: true}); }); }); });
Since Cloud Functions is a trusted environment, the backend code can continue to update your data, while keeping users from doing something they are not allowed to.
Many applications need to deal with users in different roles. What individual users can do in the app usually depends on their roles. Let's take a MOOC (Massively Open Online Courses) app as an example, where there are teachers, students and TAs. Teachers and TAs should be able to view and update course content, but students should only be able to view the material.
In a Firebase app, user roles can be managed by setting custom claims on user accounts. This is a privileged operation that can only be performed in a backend environment, typically using the Admin SDK. Custom claims are additional information that we associate with user accounts in Firebase Auth, and this information becomes available in the ID tokens that Firebase issues to users upon sign in. You can inspect these claims via security rules to facilitate role-based access control.
Going back to our example MOOC app, we can use the following backed code to grant a user teacher role.
import * as admin from 'firebase-admin'; admin.initializeApp(); async function grantTeacherRole(userId: string) { await admin.auth().setCustomUserClaims(userId, {role: 'teacher'}); }
Now you can define a rule that only allows teachers and TAs write-access to the courses collection.
courses
service cloud.firestore { match /databases/{database}/documents { function isTeacher() { return request.auth.token.role == "teacher"; } function isTA() { return request.auth.token.role == "ta"; } match /courses/{doc} { allow write: if isTeacher() || isTA(); // Only teachers and TAs can write. allow read: if true; // But anybody can read. } } }
Note that Firebase client SDKs cache ID tokens up to an hour. Therefore changes to a user's custom claims may take up to an hour to take effect.
Sometimes you want the ability to withhold some data from users until an administrator or a backend service determines it's time to release the data. For example, consider an automated process that grades tests in a MOOC app. You would want this process to finish grading all the tests before any scores are shared with the students. In this case the grading process should be able to update any Firestore document, and it can be deployed in a trusted backend environment. Therefore you can use the Admin SDK to implement it.
To make sure the intermediate states of data are not visible to users, you can create each document with a visibility attribute set to "private". Then in security rules, restrict access to only those documents whose visibility attribute is set to "public". Here's what this rule would look like:
visibility
"private"
"public"
service cloud.firestore { match /databases/{database}/documents { function isPublic() { return resource.data.visibility == "public"; } match /grades/{document} { allow read: if isPublic(); // Cannot read unless marked as "public". allow write: if false; // Nobody except Admin can update the documents. } } }
With the above rules configuration in place, all documents created with the visibility attribute set to "private" are inaccessible to the end-users. When the backend process is ready to release a document to the users, it can use the Admin SDK to change the visibility attribute of the target document to "public".
import * as admin from 'firebase-admin'; admin.initializeApp(); async function gradeTests() { // Create a new document and continue to write to it. const doc = await createNewDoc(); await updateGrades(doc); // Later, make the document visible when ready. await releaseGrades(doc); } async function createNewDoc() { const doc = admin.firestore().collection('grades').document(); // Make the new doc hidden by default await doc.set({visibility: 'private'}); return doc; } async function releaseGrades(doc) { await doc.update({visibility: 'public'}); }
As soon as the visibility attribute is set to "public" on a document, it will start appearing in matching Firestore queries executed by users.
It can be tempting to write rules that apply across collections -- for example, writing a rule that grants teachers in the MOOC app access to all documents in the database. In such situations, remember that rules will grant access to a document if any match statement in the rules configuration grants access. When multiple rules apply to the same document, it is easy to forget that any rule that allows access, overrides all the other rules that deny access.
service cloud.firestore { match /databases/{database}/documents { match /reports/{document} { // This rule is intended to selectively grant users read-only access to the // documents in the 'reports' collection. But the rule below inadvertently // grants teachers read-write access to these documents. allow read: if isConditionMet(); allow write: if false; } match /{document=**} { // This rule matches all documents in the database, including the 'reports' // collection. In case of teachers, this will override the previous rule. allow read, write: if isTeacher(); } } }
To avoid accidentally granting users access to protected data in your app, you should try to write rules in a manner so that each document only matches a single rules statement. One way to make that easier is to avoid wildcards that match collections ({document=**}), and only use wildcards that match documents ({document}). If you're tempted to define overarching rules, consider if the Admin SDK would be a better fit, because as we learned in the Tip #1, requests from the Admin SDK bypasses security rules.
{document=**}
{document}
As your apps grow and evolve over time, you may implement various administrative tools to manage your app's data. For example, you may want to implement a tool that backs up certain Firestore collections or RTDB paths. Or you are trying to meet specific privacy requirements, and you want to implement a service that deletes user data when the data becomes obsolete or when the users demand it. Such tools typically require unrestricted access to large portions of your database.
At first this may look like a good reason to have a relaxed set of security rules. But you should strive to write the most detailed and restrictive rules that describe the access patterns of your app. Administrative tools should be implemented using the Admin SDK, and deployed in a privileged environment that you control. This way your admin tools can retain full access to all the data, while closely regulating what end-users can do in the app.
In some situations you may want to temporarily deny a user access to data. Perhaps the monitoring infrastructure of your forum app has just detected a user posting spam, and you want to prevent that user from posting any more content until you can conduct a thorough investigation of the incident. You can use security rules to implement a simple access control list (ACL) on top of Firestore, and use the Admin SDK to dynamically manage it. You would start by declaring a rule like the following:
service cloud.firestore { match /databases/{database}/documents { function isBlackListed() { return exists(/databases/$(database)/documents/blacklist/$(request.auth.uid)) } // Collections are closed for reads and writes by default. This match block // is included for clarity. match /blacklist/{entry} { allow read: if false; allow write: if false; } match /posts/{postId} { allow write: if !isBlackListed() } } }
This mentions a Firestore collection named blacklist that no user can read or write. It also uses the exists built-in function to check if a document with a given key exists in the Firestore database. If you haven't seen this pattern before, built-in functions like exists and get enable us to access Firestore documents from security rules. In this case, if we find a user ID in the blacklist collection, we prevent the corresponding user from writing to the posts collection. Now we can use the Admin SDK to add users to the blacklist collection, and revoke their write-access:
blacklist
exists
get
posts
await revokeWriteAccess('bAdAgEnT'); async function revokeWriteAccess(userId) { const user = admin.firestore().collection('blacklist').document(userId) await user.set({ reason: 'possible bad agent', blacklisted_at: admin.firestore.FieldValue.serverTimestamp(), }); }
Since you have already locked down all access to the blacklist collection, you can rest assured that only the Admin SDK (i.e. our backend code) can make modifications to it. Changes to the ACL take effect immediately. To grant a user access to the data again, simply remove the corresponding document with the user ID from the blacklist collection.
Note that we are also writing the current timestamp to the same document when adding a user to the blacklist. If you want, you can write a rule that references this property to automatically grant blacklisted users access after a cool off period.
service cloud.firestore { function isTwoDaysElapsed() { return request.time > timestamp.value(get(/databases/$(database)/documents/ blacklist/$(request.auth.uid)).data.blacklisted_at.seconds*1000) + duration.value(2, 'd'); } match /databases/{database}/documents { match /posts/{postId} { // allow if blacklisted more than 2 days ago allow write: if isTwoDaysElapsed(); } } }
Firebase takes a declarative approach to ensuring the security and logical correctness of your apps. By keeping the rules separate from application code, you can easily update your security policies, while keeping the application code simple. As many developers know by experience, code changes are harder to make, and even harder to test and deploy. But with Firebase, you can rapidly iterate on your rules without having to touch the application code at all. Moreover, you can patch any detected security vulnerabilities instantly, without having to go through a long and arduous app rollout.
You can also use rules in conjunction with the Firebase Admin SDK to implement sophisticated use cases that involve server-side code. Admin SDK is not subjected to rules checks, but this extra degree of freedom enables some useful patterns that can be applied to multiple real world applications. You can implement any server-side components using the Admin SDK and deploy them in trusted environments like Google Cloud Functions, while subjecting the client-side apps to stricter constraints.
Read more about Firebase security rules and the Admin SDK in our documentation. If you have used these tools to solve any interesting problems, we'd love to hear about your experience. Happy coding with Firebase!
Here at Firebase, we work hard to keep your apps secure and protect your users. In keeping with that mission, we're proud to announce that we recently implemented Certificate Transparency for the Realtime Database.
Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates. These attack vectors are rare but serious ways of circumventing the protections that SSL/TLS grants to online communication.
Part of Certificate Transparency is the issuance of a Signed Certificate Timestamp (SCT), which Realtime Database responses now include. We have already been sending the SCT when browsers like Chrome requested it, but now it is always bundled in the response.
From today on, every connection from one of your users to your database will be protected by the SCT. Please be aware that the SCT creates a little more SSL overhead, so each response gets slightly larger. The percentage increase for your app is dependent on many factors, such as your average response size, and which clients your customers use. Since outgoing bandwidth (egress) is billed, you may see a slight bill increase as a result.
Certificate Transparency is a great enhancement to SSL/TLS, and we Firebasers are excited about what it means for the security of the internet going forward. We're delighted to bring this protection to you and your users.
If you are a user of Firebase Cloud Messaging (FCM), you know that there are many different ways to send messages. You can target an application on a device, or target millions of them through the topics API. FCM APIs tell you if there was a failure during the acceptance of the request by returning an error code and an explanation for the failure, but this only covers the part of the request between you and the FCM backend. What happens after FCM accepts your message request?
In this post, we will look into the Firebase Cloud Messaging infrastructure and how messages are actually delivered to devices.
When FCM returns a successful response to your API request, it simply means that FCM will start trying to deliver this message to the device or to the service responsible for delivering the message to the device (for example: Apple Push Notification service for delivery to iOS devices or Mozilla Push Service for delivery to Firefox browsers). It will try this until:
Note: If the time to live of the pending messages has expired, the above functions will not be triggered.
There are many factors that affect the actual delivery of the message to the device and the amount of information FCM can provide about the delivery.
Note: If you'd like to analyze message delivery events for your project, you can do so by exporting FCM data into BigQuery.
On iOS, there are two ways in which FCM can send a message to a device:
Note: If you'd like to access iOS notification delivery information for display notifications, you can use the FCM Reporting Dashboard. This dashboard leverages Google Analytics for Firebase data sharing features to collect delivery information through Firebase Android and iOS SDKs for display notifications.
See Lifetime of a Message and Understanding Message Delivery if you'd like to learn more about message acceptance and delivery.
This article originally appeared on the Google Marketing Platform blog.
For businesses to make the best decisions about where to invest their marketing budget, it's critical that they understand user behavior on both their web and app properties. And while a website is often the first customer touchpoint, for many businesses, apps are where customers are spending more of their time. As a result, marketers need to capture audience insights from their app analytics that they can then take action on, both within and outside of their apps.
Google Analytics for Firebase, our app analytics solution, has historically given you the ability to organize your audiences around events, device type, and other dimensions. These criteria were not exhaustive, however, or dynamic as user behavior changed over time.
That's why we've made enhancements to the audience builder experience, with a few major updates to help you identify relevant app audiences more easily and with greater precision:
These new tools make audiences more powerful, flexible and actionable than before, so you can be confident that your insights reflect relevant users and activity on your apps. In 2019, we will continue to enhance the Google Analytics for Firebase audience builder, offering even more ways to precisely create audiences.
Take action once you've identified relevant audiences
Once you've improved your understanding of users, you can also deliver personalized experiences based on varying user needs. For example, through push notifications or Remote Config in Firebase, or customized ads in Google Ads.
Let's say you have an e-commerce app. Using these advanced audience capabilities, you can build an audience of users that visit your app for the first time and add an item to their cart, but don't make a purchase—and only include those who do so in a 30 day window.
Build a dynamic audience for first time users that have abandoned their cart.
You can now reach that audience with tailored messaging relevant to their experience with the app, and encourage them to make the purchase through an in-app promotion, email notification, or personalized ad. Once these users have returned to the app, made a purchase, and/or exceeded the 30 day window however, they will no longer meet the criteria for that audience, and you will not adversely affect their experience with marketing that is no longer relevant to them.
With the ability to create dynamic audiences, you are able to understand your users with better precision. A better view into your audiences means more insight into the customer journey, so you can invest in your marketing activities with confidence and see better results—keeping users happy, and your app growing.
Hey there, Firebase developers! Did you hear the news? Cloud Firestore — our NoSQL database in the cloud for mobile and web apps — is officially out of beta and in General Availability!
Great! So… why's that a big deal?
The move from beta to GA is significant for a number of reasons. For starters, it's Google's way of saying that we're confident in Cloud Firestore's ability to handle your toughest database needs. And you can rely on Cloud Firestore to power all kinds of apps — from experimental prototypes to mission critical enterprise-scale applications.
Moving into GA also has some practical benefits. One of the most important is that Cloud Firestore is now included in GCP's official Service Level Agreements (or SLAs, as they're commonly known). This means you now have guaranteed uptime — 99.999% for multi-region instances of Cloud Firestore, and 99.99% for regional instances.
In addition, now that Cloud Firestore is out of beta, important programs like GCP's deprecation policy officially apply to Cloud Firestore, and Cloud Firestore is now included among our list of services that support HIPAA compliance.
New lower pricing tier — coming soon!
We're also excited to announce a new lower pricing tier (up to 50% off) for most regional instances of Cloud Firestore. And if you're wondering what exactly I mean by "regional" and "multi-region", let's explain:
To over-simplify things a bit, when you have a Cloud Firestore database installed in a multi-region location, exact copies of your database are created in multiple data centers at least a few hundred miles apart from each other. This is great from a reliability standpoint; even if one region were to completely go offline due to a natural disaster or giant radioactive lizard attack, your database would continue to be hosted from the other two.
Even better, this whole setup is completely transparent to you. When you write new values to the database, you're able to read them right away, and not have to worry about whether or not they've fanned out to all of the other regions properly. This is known as being strongly consistent, and honestly, it's a pretty amazing piece of tech that will impress your database aficionado friends.
That said, creating a strongly consistent multi-region database is pretty heavy-duty tech that requires a lot of infrastructure. And while all of that is important for mission critical applications, it might be overkill for some of your other apps, and you might be perfectly happy with the guaranteed 99.99% uptime that comes from having Cloud Firestore hosted in a single region. (Usually just referred to as "regional" locations.)
So to help reflect these differences, we're going to start lowering prices on most of our regional instances of Cloud Firestore in the next month or two. The price will vary by location, but the discount will be as much as 50%. Once this new pricing goes into effect on March 3rd, 2019, it will be applied automatically to those of you who have Cloud Firestore databases hosted in those regional instances.
New locations, too!
As long as we're talking about data center locations, we've added several new locations around the world to host your Cloud Firestore data. There will be a new multi-region location in Europe, and then 9 additional regional locations, including a few in Asia, Australia, North and South America, and Europe. Be sure to check out the Google Cloud blog post for the complete list.
We believe these new locations will give you the tools to help address your local regulations around data storage, and better serve the needs of your customers who might be concentrated in certain areas around the globe. You can select your Cloud Firestore location when you first create your Firebase project, so make sure to pick the location that will provide the best experience for your customers.
Better usage tracking, powered by Stackdriver
One of the biggest concerns we've heard from developers when they're using a tool like Cloud Firestore is that they're not very confident in their app's database usage, and they're worried about the day when a bill arrives in the mail for more than they expected because they had underestimated their app's database usage.
So to help address this, we're going to be adding a new "Usage" tab in the Firebase console to show you exactly how many reads, writes, and deletes your database has received over time. These are the operations that drive the majority of your Cloud Firestore pricing, so making sure you know what your traffic is like in these three areas is critical to keeping a handle on your costs.
These graphs are certainly helpful, but what's really exciting about these usage reports is that they're being powered by Stackdriver, Google Cloud's incredibly flexible monitoring and reporting toolkit. And one really nice feature about Stackdriver is that you can set up your own custom alerts if any of the metrics its measuring go outside certain ranges.
So if you want to receive an email (or PagerDuty notification, or a Slack message) when your database receives more reads than you were expecting in a one-hour period, you can do that. You can also receive alerts if your traffic spikes an unusual amount compared to normal, or if your overall traffic drops below a certain level.
Please note that this usage tab is currently in beta, and while there's a lot more you already can do with Stackdriver (including building your own custom dashboards), we'll be looking to add more Cloud Firestore metrics to Stackdriver in the future. Look for this new Usage tab to appear in the Firebase console in the next few days!
Give it a try today!
Even in beta, Cloud Firestore was driving some fantastic app experiences — with partners like The New York Times, Skip Scooters, QuintoAndar, Nerdery, and more building some really great features powered by Cloud Firestore.
And now that we're in General Availability, this a great time to get started using Cloud Firestore to power your apps. We've got a lot of documentation and samples get started with, and a fun little video series that I am legally obligated to plug. So give it a look, and happy databasing!
