0

I am new to the Google Cloud platform and have been scouring the documentation to determine if Firestore/Firebase is a good fit for my next web app. I understand that because my API key to my project is exposed the only security to my database is the rule set. I have looked at many examples and find the (if request.auth.uid != null) approach implemented a lot to limit access only to authenticated users.

I am also looking at using Firebase Auth() and keep asking myself how effective the (request.auth.uid != null) if anyone with my API key can run a few commands using Auth to create a new account. Is there a way to limit who can create an account not just anyone who can open up DevTools, grab my key, and start issuing some commands? Am I missing something here? Is there some standard approach that should be taken? Thanks in advance.

Gautam
  • 2,597
  • 1
  • 28
  • 51
Chris Mancini
  • 105
  • 1
  • 1
  • 9
  • Have a look at my answer here: https://stackoverflow.com/questions/51392059/firebase-email-saying-my-realtime-database-has-insecure-rules. It describes what those rules protect against, and what they still allow. – Frank van Puffelen Sep 26 '18 at 14:05
  • So basically your post confirms exactly what I thought. If I want to have a web application available on the WWW where only legitimate users have read/write access to the data and I want to use the email/password provider then I have to come up with some way on the backend to distinguish a true user from someone who could've used the API Key and the dev console to create a new "illegitimate" user. Are there any recommended strategies for doing this? – Chris Mancini Sep 26 '18 at 15:27
  • You should enforce your business logic in the backend (in security rules or server-side code). Once you do that, it doesn't matter if somebody created a user in a different way: as long as they're following your rules. – Frank van Puffelen Sep 26 '18 at 15:30

0 Answers0