How safe is auth !== null? Firebase

Question

I've been using Firebase for quite some time, but I only now decided to really look into the security rules.

My question is, how safe is "auth !== null"? Yes, I realize that this means that only an authenticated user can access the data, but how easy is it to become authenticated? Can someone sign up for the app, and then use those credentials to GET request right into my database?

Like I said, I'm new to Security rules, so I'm sorry if this is an obvious question.

Here's my security rules:

{
  "rules": {
    "Users": {
      "$user_id": {
        ".write": "$user_id === auth.uid",  
        ".read" : "auth !== null",
        "shoofers" : {
          ".write" : "auth != null"
        }
      }
    }
  }
}

Thanks!

Neil

Answer 1

You can give users access to the database either after sign in authentication or with out authentication. But it is good and safe to allow users to access your database with authentication

with authentication security rules are

  {
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

and without authentication

     {
  "rules": {
    ".read": "auth == null",
    ".write": "auth == null"
  }
}

Answer 2

A user can authenticate via anonymous, email/password, various OAuth providers and phone number sign in. You can enable/disable either of them. Your root rule above allows read only access to any authenticated user via any of the mechanisms stated and write access for a specified user to their own data. It is very difficult to fake sign in. The database will always check that the request has an ID token (when auth is not null). ID tokens use public-key cryptography and are hard to fake without possession of the private key.

Answer 3

{
  "rules": {
     ".read" : "auth.uid != null",
     ".write" : "auth.uid != null",
  }
}

or without authentication

{
  "rules": {
     ".read" : "auth.uid == null",
     ".write" : "auth.uid == null",
  }
}

Answer 4

The thing i have seen is, when you use 'simulator' from firebase console and fake authentication by giving some random string as uid, firebase doesn't check it and allows access. So auth!=null is not enough because it authenticates even if uid=1.