3

I have received an email from Firebase advising me that my security rules are insecure citing: Any user can read/write to your database.

How can this be, I have specified .read and .write rules below. What am I missing? any help would be much appreciated.

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null",
      "venues-location": {
        ".indexOn": "g"
    },
      "users-compliments": {
        "$uid":{
          "$uid":{
            ".indexOn": ".value"
          }
        }
    },
      "users-invites": {
        "$uid":{
          "$uid":{
            ".indexOn": ".value"
          }
        }
    },
    "users-location": {
        ".indexOn": "g"
    }
  }
}
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Roggie
  • 1,157
  • 3
  • 16
  • 40

2 Answers2

6
".read": "auth != null",

".write": "auth != null",

These above rules are default rules. According to firebase documentation They allow full read and write access to authenticated users of your app. They are useful if you want data open to all users of your app but don't want it open to the world

It is essential that you configure these rules correctly before launching your app to ensure that your users can only access the data that they are supposed to.

{
  "rules": {
    "foo": {
      ".read": true,
      ".write": false
    }
  }
}

Here's an example of a rule that grants write access for authenticated users to /users//, where is the ID of the user obtained through Firebase Authentication.

{
  "rules": {
    "users": {
      "$uid": {
        ".write": "$uid === auth.uid"
      }
    }
  }
}
Muhammad Ibrahim
  • 229
  • 4
  • 16
  • thanks for your suggestions and pointing me in the right direction. The doco link looks very helpful. Question is: would say applying your suggestion address the security concern I received from Firebase? – Roggie Jul 11 '18 at 00:43
  • dear @Roggie it totally depends on your buisiness model if (You Want Your Every User to be able to read and Write ){ //Your code is fine }else{ //make your data more secure to allowing specific user by applying above //mentioned rules } – Muhammad Ibrahim Jul 11 '18 at 00:50
  • in my DB model I have a root node called `venues` with each child representing a venue object, changing to the suggested rules results above results in no venues being displayed on my tableview. Does this mean that I need to add another security rule for `venues` and any other parent node for that matter? – Roggie Jul 11 '18 at 01:56
  • `{ "rules": { "venues": { "$uid": { ".read": "$uid === auth.uid", ".write": "$uid === auth.uid" } } } }` – Muhammad Ibrahim Jul 11 '18 at 10:06
1

"auth != null" is not enough. It means anyone who is authenticated can read/write to another user's data. You probably want to add something like: ".write": "auth.uid == $uid" under the $uid nodes. to only allow the authenticated user to access their own data and not another user's.

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • 1
    This however would not be the case where all users can read/write data as long as they are authenticated. In my case few users can access the app and have all the same access scope and rights, therefore in my case the default rules are perfectly fine. Should I simply ignore the warning message? Probably this warning is delivered as usually apps have more restrictive needs (only the owner can edit its own data). – Francesco Jul 11 '18 at 05:51
  • @Francesco I'm also having the warning should I ignore it ? – Rahul Vyas Sep 16 '20 at 13:28
  • It depends on the scope and criticality of your app. In my case it was a pet project, so no really sensitive data shared between users. But if this is not your case, I would try to investigate further and not ignore them. – Francesco Sep 17 '20 at 08:57