Firebase Auth, Firestore & Storage (plugin)
  • 🚀Getting Started
  • Setup
    • Create a Firebase Project
    • Get Firebase access credentials
    • Offline Support
    • Secure your credentials and data
      • Restrict your api-key to your domain
      • Security Rules on Firebase
  • Plugin Elements
    • 🛠️About elements
    • 💾Data Schemas
    • Firebase Auth (Current User)
    • Firestore Data List
      • Firebase Geohash
      • Firestore Data (legacy)
    • Firestore Data Extractor
    • Firestore Data Single
    • Firestore Data Aggregation
    • Firestore Data Processor
    • Firebase Storage Upload Button
    • Firebase Action Listener
    • Firebase Dropdown Processor
  • Plugin Front-end Actions
    • 💻About front-end actions
    • 💾Field types table
    • Firestore
      • Create a new document
      • Update a document
      • Delete a document
      • Update a list of documents
      • Delete a list of documents
      • Batch Operations
        • Batch Operation Constructor
        • Batch Operation Commit
    • Firebase Auth
      • Sign the User Up
      • Log the User In
      • Log the User In with Google
      • Log the User In with Facebook
      • Log the User In with GitHub
      • Log the User Out
      • Update User's Profile
      • Update User's Password
      • Update User's Email
      • Send password reset email
        • Handle reset password code
      • Send verification email
        • Handle verify email code
      • Delete current user
    • Firebase Storage
      • Upload file base64
      • Delete uploaded file
  • Plugin Back-end Actions
    • ☁️About backend actions
    • Firestore Backend
      • Get a list of documents
      • Get a single document
      • Count a list of documents
      • Create a new document
      • Update a document
      • Delete a document
      • Update a list of documents
      • Delete a list of documents
    • Firebase Auth Backend
      • Create an account for someone else
      • Update another user's profile info
      • Delete a user account
      • Generate email confirmation link
      • Generate password reset link
      • Set user roles
Powered by GitBook
On this page
  • Using backend workflows for better security
  • Bubble's Privacy Rules x Firebase Security Rules
  1. Setup
  2. Secure your credentials and data

Security Rules on Firebase

PreviousRestrict your api-key to your domainNextAbout elements

Last updated 11 months ago

In order to run fast operations on Bubble's front-end and also allow for no-code configuration, when you specify the Firebase account configuration of the site, this data might be exposed on the page HTML content.

Because of that we strongly recommend every developer to properly configure Security Rules for Firestore and Firebase Storage.

To do so, you must go to your projects console, on the Firestore or Storage pages, and click on the "Rules" tab.

You must always configure your Security Rules for Firestore and Firebase Storage properly, to avoid unwanted uses of you Firebase connection.

Using backend workflows for better security

When you use backend actions from the plugin, as they run server-side code, they can bypass security rules, but there is a caveat: Bubble's backend actions for plugins are always slow to start! They take up to 30 seconds to execute, no matter how simple their login is.

That's because they kind of need time on first run to "load themselves into Bubble's server memory" (that not an official statement from Bubble, but rather how we rationalize it). After this first execution, they tent to run faster for a couple of minutes.

So, you can use them when you need a more secure way to deal with data on Firebase, but you'll have to work around the long execution times limitation and deal with a greater Workload Consumption because of that.

Tip: You can run backend operations on a Scheduled Backend Workflow, in order to free your users from the "burden" of having to wait the server-site action warm up time.

Bubble's Privacy Rules x Firebase Security Rules

Firebase security rules work differently from Bubble's privacy rules. While on Bubble they work as a kind of "filter" for data, on Firebase they work as "blockers".

So, if you define the rule on Bubble that User's can only see their own data, if you try to fetch more user's in a list or a Repeating Group, for instance, no matter how you set the search, Bubble will only give the user's available data. It will simply not fetch the other user's.

In Firebase, on the other hand, if you set the same rule, the entire query will fail and you won't receive any data, only an error message on your browser's Console: "Firestore Data Plugin Error: Missing or insufficient permissions."

Tip: You can open your browser's dev tools (press "F12") to read any errors or warning messages given by our plugin.

Firestore Data Plugin Error: Missing or insufficient permissions.