2

We have an iOS app that uses Firestore. The app only reads data (no writes), we have no user accounts and nothing on the database must be protected. For that reason we ran with these naive security rules

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
       allow read;
    }
  }
}

However, Firebase has warned us (sure, for good reasons) that this puts us at risk for two reasons:

  1. Any user can read anything from the database, therefor nothing is secure.

I don't see this as a problem because we have nothing that must be kept secret. At least for now, sure, that might change.

  1. Unlimited reads are permitted

This is were the problem lies. I suppose a malicious user could read our database millions of times and thereby shut us down or simply force us to pay a large bill (we use the Blaze plan, pay as you go).

How can we protect us from this? I've seen similar questions here but they don't provide any helpful suggestions, How to limit rate of data reads from Firebase?

My idea is that we could use anonymous user accounts in the app and then in our security rules only allow read if user is "logged in" (thereby anyone using the app). I'm far from an expert on Firebase and security issues, but wouldn't this at least make it harder or impossible, for someone to read our database millions of times because it must be done through the app?

Any other suggestions how we may approach this?

Firebase warning message for bad security rules

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Joel Rudsberg
  • 75
  • 5

2 Answers2

4

There's not really a way to throttle the read rate for a particular client app once you allow read access to a document. With fully public read rules, everyone on the internet could read documents repeatedly to run up a bill. The chances of that happening are really slim though, and you should report what appears to be abusive behavior to Firebase support.

You can get rid of the warning message by calling out the individual top-level collection you would like the clients to be able to read. Since Firebase doesn't know which collections you might want to allow or disallow access to, you should be explicit. For example, something like this for each collection:

    match /collection1/{document=**} {
       allow read;
    }
    match /collection2/{document=**} {
       allow read;
    }

If you do this, be sure to remove the rule you have now that allows access to all documents.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
1

If it's just read only operation then you can consider using remote config, as remote config is completely free. But if it's necessary to use firestore database for your scenario, then consider Firebase Anonymous sign-in and setting the following security rule

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /collection_name/{documentId} {
      allow read: if request.auth.uid != null;
      allow write: if false;
    }
  }
}
ked
  • 2,426
  • 21
  • 24