0

Firebase told me that my Database is not secure because I had as rules:

service cloud.firestore {
 match /databases/{database}/documents {
   match /mypath/{document=**} {
    allow write: if true;
    allow read, delete: if false;
   }
  }
 }

I do not have problem about read and delete since only my server that use FirebaseAdmin can do such operations. However I still have a problem regarding write operations. This is the reason why I switch to this configuration:

service cloud.firestore {
  match /databases/{database}/documents {
    match /mypath/{document=**} {
      allow write: if request.resource.data.psw == 'mypassword';
      allow read, delete: if false;
    }
  }
}

my idea is to write a password in a configuration file of my app and using it together the data that I want to save on Firestore. Is this method secure or there is a better way?

thanks in advance for any advice.

AM13
  • 661
  • 1
  • 8
  • 18

1 Answers1

4

The scheme you're using isn't secure at all, since you're shipping your "secret" to client apps. Any piece of information you include in your app is essentially public information, since it's easy to break down a mobile or web app data to see exactly how it works.

The secure way is to use Firebase Authentication to limit who can read or write certain data. This is the only way secure a database on a per-user basis. It's not possible to securely limit access to a database on a per-app basis.

Bear in mind also that what you have now also allows any client to update any known document without providing the password. request.resource.data.psw will be set correctly for updates where it was previously initially set correctly. That's because request.resource.data contains all the prior document's content, plus whatever changes were added in the update.

If you can't use Firebase Authentication for some reason, what you're doing now is the best you can do, but it really should be known that it's not very secure.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441