3

In Firebase security rules how can you stop hackers running a script for signup to your website? bare in mind I need them to be able to signup externally on my homepage so I cannot say they need to be logged in.

I know the basic settings from reading Firebase security documentation but I'm worried its not secure enough, especially if someone new my firebase app url to write or read to the database.

In addition it would be good to know the basics I should have so I can check if I do have those.

Currently I have these settings:

{
  "rules": {
    "users": {
        ".read": "auth != null",
        ".write": true,
        ".indexOn": ["uid", "region"]    
    }
  }
}

Users can write as I need them to sign up but cannot read unless then are logged in. Also have some indexes for performance reasons.

This is where my knowledge stops.

Thanks in advance!

AngularM
  • 15,982
  • 28
  • 94
  • 169
  • 1
    Firebase security rules have nothing to do with creating accounts or logging in to your app. They are only used for reading and writing to your database. – André Kool May 17 '16 at 19:17

1 Answers1

4

You want to allow users to write, but only to their own user entry. That's actually easy to do with rules: 

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "auth != null && auth.uid == $uid",
        ". write": "auth != null && auth.uid == $uid"
      }
    }
  }
}

This says /user/{$uid} can only be read or written by a user who is signed in, and who's user ID matches the {$uid} part of the path. Take a look at the rules quickstart for more.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Ian Barber
  • 19,765
  • 3
  • 58
  • 58
  • No I want users to sign up and prevent a hacker running a script and adding lots of firebase users eg 1 million and breaking my database – AngularM May 17 '16 at 17:19
  • What if they are a new user and writing for first time? Eg signing up. That users could create many new users – AngularM May 17 '16 at 17:20
  • Ah I see! Well first off, you probably do want a rule like this anyway, as your current rule allows any signed in user to write to any other user's entry. In terms of limiting, using a rule like this would mean they would have to authenticate again to get a new UID - if you use a social provider (Google, Facebook, Twitter, Github etc.) they would have to make a new account, which would be hard to do, so they wouldn't be able to create so many. What sign in options do you support? – Ian Barber May 17 '16 at 17:22
  • I support facebook, google, twitter and the firebase auth. So if a hacker got my firebase url - they could write lots of sign ups and delete my database. I will definately add your auth.uid part. – AngularM May 17 '16 at 19:46
  • Firebase Authentication does not write to the database, so those sign-ups are harmless. They just claim some space in Firebase's internals and sometimes not even that. You can prevent unauthorized writes and deletes to *your* database with the security rules as Ian mentioned. See this [answer by Kato](http://stackoverflow.com/questions/18005984/how-to-prevent-other-access-to-my-firebase) for a great explanation. – Frank van Puffelen May 17 '16 at 20:54