1

Okay, I have the following use case for Firebase:

Client wants us to store data from a form and put it into the DB. This is handled on the backend with Express.

This has to be done pretty quickly, so I just want to make sure I do it correctly.

I currently have the rules to allow read and write access to be true. Would this be okay in production, given that users can only input data through the form? And they wouldn't have access to the API key, so other users couldn't mess with the data?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Tulun
  • 469
  • 4
  • 15

2 Answers2

3

From your description it sounds like you have:

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

This means that anyone who can find the URL for your database (https://yours.firebaseio.com) can write to the database. It doesn't matter if they use your form, directly use a Firebase SDK or even if they just make a REST request using curl:

curl -X DELETE 'https://yours.firebaseio.com/.json'

This last line will delete your entire database. And all it takes is one malicious user or one typo while you're developing (this happens a lot more than you'd think).

So you really should set up your database security rules to:

  1. validate that the data is in the correct format
  2. make sure that only authenticated users can access the data that they're authorized for
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • That's... really good to know. Alright, I'll look into adding an authentication layer. I didn't realize someone could just curl delete it. – Tulun Feb 24 '17 at 22:50
2

Yes, having both read and write permissions set to true is a big security hole for multiple reasons:

  • Public read access creates a privacy problem for your users if you handle any personal information.
  • It is also a breach of confidentiality with your client if you expose their business data to the public without their consent.
  • Public write access allows anyone with your database URL to delete or modify its contents at will.

Also note that if your app exposes Firebase through its front-end to the users, getting your database URL is as simple as reading through the app's HTML source.

What you can do, however

is authenticate your app through the server side and set private access to the database. Take a look at how to create a service account, also detailed here.

If you use an older version of firebase, you will have to use server tokens

Hope this helps!

Community
  • 1
  • 1
ppajer
  • 3,045
  • 1
  • 15
  • 22
  • Seems similar to the above answer. I'll look into this. – Tulun Feb 24 '17 at 22:50
  • @Tulun The point is the same, yes. I wanted to elaborate on the different threats this poses, how easily your db url is accessible to the public and the dedicated ways Firebase has to auth your server. Too long to comment on the other answer and still be legible :) – ppajer Feb 24 '17 at 22:56
  • I added the firebase admin implementation instead, so I think I've circumvented at least the global problem :) – Tulun Feb 24 '17 at 23:43
  • @Tulun That should do the trick. If you need to provide even more security for some reason, [you can also restrict database access to specific user IDs](http://stackoverflow.com/questions/39133918/restricting-firebase-read-write-access-to-only-myself). – ppajer Feb 24 '17 at 23:58