Search code examples
firebasegoogle-cloud-firestorefirebase-security

Firebase, insecure rules

I recently received an email from firebase telling me that the rules of my database (Firestore) are insecure so I changed them to the following:

rules_version = '2';
service cloud.firestore {
  match / databases / {database} / documents {
    match / {document = **} {
     allow read: if true;
    allow write: if request.auth.uid != null;
    }
  }
}

Before I had these rules:

allow read, write: if true;

After making the change, the emails keep coming back and I don't know what else to do. I already tried several of the following options given in this link but none of them works for what I need.

https://firebase.google.com/docs/rules/insecure-rules#firestore

I need authenified users to be able to read and create content. So use the rules that I put above.

I saw that in the email they send me it says that people can modify my database, is this referring to from the app, or does it mean that they can hack me or something?

Because the end of my app is that users can create content.

But I don't want someone to hack into my database and delete everything, is that possible?

Data Base

Thanks

Solution

  • The emails are because the rules aren't really stringent. You should probably be using the following rule, that:

    1. Allows unauthenticate users to read data
    2. Allows authenticated users to create entries
    3. Allows to update & delete entries that are only owned by themselves and not of others.
    service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /some_collection/{document} {
      allow read: if true
      allow create: if request.auth.uid == request.resource.data.author_uid;
      allow update, delete: if request.auth.uid == resource.data.author_uid;
    }
  }
}

    Read this article for better understanding. You can also check when firestore flags rules as insecure over here. More importantly, this is the point to be emphasized.

    Remember that Firebase allows clients direct access to your data, and Firebase Security Rules are the only safeguard blocking access for malicious users. Defining rules separately from product logic has a number of advantages: clients aren't responsible for enforcing security, buggy implementations will not compromise your data, and most importantly, you're not relying on an intermediary server to protect data from the world.

    Sample rules:

    service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userDoc} {
      allow read: if true
      allow create: if request.auth.uid == request.resource.data.id;
      allow update, delete: if request.auth.uid == resource.data.id;
    }

    match /posts/{postDoc} {
      allow read: if true
      allow create: if request.auth.uid != null;
      allow update, delete: if request.auth.uid == resource.data.user_id;
    }

    match /comments/{commentDoc} {
      allow read: if true
      allow create: if request.auth.uid != null;
      allow update, delete: if request.auth.uid == resource.data.user_id;
    }
  }
}