Search code examples
firebasegoogle-cloud-platformgoogle-cloud-firestorefirebase-authenticationfirebase-security

How public is "if request.auth.uid != null" as a security rule in Firestore?

I'm using Firestore to store my data. This includes user profile details and their current location in documents, which are stored in a collection with the below security rules:

match /profile/{w9o3948s} {
  allow read, write: if request.auth.uid != null;
}

Is there any way for people to "browse" the list of documents in the collection and look through user's locations? Or can that only be done by code within in my app?

The document ID is randomly generated, so even if someone hypothetically knows a current document ID - how would they query the document?

Solution

  • Is there any way for people to "browse" the list of documents in the collection and look through user's locations?

    Yes, with your security rules it is totally possible.

    As soon as (1) someone has the apiKey of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).

    Getting the apiKey is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).

    One standard way to give access to only a set of users (for example, the employees of your company, or some paying subscribers to your app) is to use Custom Claims. You will find in the documentation the guidelines for setting access control with Claims.

    You may be interested by this article which presents how to build, with a Callable Cloud Function, a module for allowing end-users with a specific Admin role creating other users and how to restrict access to users with one or more specific Custom Claim(s). (disclaimer, I'm the author).

    Or can that (i.e. browse the list of documents in the collection) only be done by code within in my app?

    Anybody who can reverse engineer your app can find the name of your Firestore collections and, with an account created as explained above, can access the documents in those collections.

    The document ID is randomly generated, so even if someone hypothetically knows a current document ID - how would they query the document?

    As you will read in the section of the Security Rules documentation dedicated to Granular Operations, using read allows users to get one document AND to list all documents of a Collection (of a Query). So if you want to restrict the read access rights of a user to only his/her profile, you will need to have two different rules for get and list.

    So, in conclusion:

    1. Use Custom Claims: they can only be set from a "privileged server environment" through the Firebase Admin SDK. "Privileged server environment” meaning a server that you fully control or a Cloud Function in your Firebase Project.
    2. Fine tune your Security Rules to (a) use the custom claims in the rules and (b) use granular access rights.