Search code examples
google-cloud-firestorefirebase-security

How do you know if your firebase security rules are good enough so you can't get hacked?

I am brand new to firebase and i'm not sure if my firebase security rules are good enough so no one can hack into my database and change whatever they want. How do you know if your firebase security rules are any good?

I really do not want to allow anyone to change any data unless they are the current user changing only their personal data.

Here is a picture of my current firebase security rules:

enter image description here

How do I know if my firebase security rules are any good?

Also not sure if this will be useful but I only have 2 collections in my firestore data. The first one is "users" that just has basic information about my users (name, email address, etc). The second is "posts" that just has basic info about a post (likes, comments, etc)

Solution

  • How do you know if your firebase security rules are good enough so you can't get hacked?

    That is really unanswerable. It's like asking "How do I know I'm the smartest person in the world"; you can't know that without competing with every person in the world in a battle of the brains.

    Your security rules are a bit like that, except that you're not competing with everyone else but only with folks trying to access your data in a malicious way. And instead of an undefined battle of the brains, you're pitching your security rules (which they can't see) against their skills of deduction and familiarity with the API.

    Good security rules allow exactly what your code also does, and nothing else.

    A good example of this is your first create rule:

    match /users/{userID} { 
  allow create: if true;
}

    So this rule allows anyone in the world to create a document under any ID that they want in your database, simply by calling firebase.firestore().document("users/IAMTREV347").set({ whateverKeyIWant: "WithWhateverValue" }).

    Your own code is probably be a bit more restrained than that. For example, it seems that you want to store documents in /users/$uid, so under the UID of the current user in your app. In code that might be something like this:

    const uid = firebase.auth().currentUser.uid;
firebase.firestore().collection("users").doc(uid).set({ 
  uid: uid,
  name: "Trev345" 
})

    So you'll need to tighten your code to:

    1. Only allow the user to write to the document with their own UID both as the document ID and in the uid field.
    2. Only allow the user to write the name field in that document.

    If you modify your rules like that, they allow exactly what the code does and nothing else, so there is no room for anyone to abuse them.

    So the proper create rule would be:

    match /users/{userID} { 
  allow create: if request.auth.uid == $userID && 
                   request.document.data.uid == $userID && 
                   (request.resource.data.keys().hasOnly(['name', 'uid']));
}

    You should go through each of your rules like that and through each piece of code that accesses the database, and give the minimum permission that allows the code to work.