1

i have a serious Question. I am developing the Security Rules for my Firestore Database. So what if someone decompiled my App, stole the GoogleInfo.plist, added this file to his Project, and creates multiple Accounts with it? I mean in the security rules you have to:

allow create: if request.auth != null;

So he could add a new Document every time he adds an FirebaseUser Account.

How to solve and secure this?

Are there other options like sign in with custom field at example:

I create a document ID.

and so we check in the Firestore rules:

match /document/{myDOC}
allow write: if request.auth.code == myDOC;

So what I mean here is, if I can set additional Information to the Request of my App, and check if the additional Information is Equal to the myDOC;

Thanks!!

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Sobhi Hammoud
  • 51
  • 2

2 Answers2

1

This is all working by design. There is no "security" information in GoogleInfo.plist. It just contains data that instructs the Firebase SDK on how to find your project and its resources. Without that data, your app would know nothing about your project.

To secure your database, you will need to design your database to allow for per-user security, then write rules that determine which authenticated users can read and write which documents, as suggested in the documentation.

It's not possible to send extra information along with a query for the purpose of security. You should depend on what Firebase auth provides in request.auth in the rules language.

See also: Is it safe to expose Firebase apiKey to the public?

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • are there any security rules for creating user‘s over the Firestore SDK? I mean lets simulate he imports my google.plist, and creates 1000 accounts over the „createUserEmailPassword“ so he could create user‘s as often as he want with my plist or am i wrong? – Sobhi Hammoud Jun 18 '20 at 18:12
  • No. What you're describing is an issue with pretty much all cloud-based public services. If you suspect patterns of abuse, contact Firebase support directly. https://support.google.com/firebase/contact/support – Doug Stevenson Jun 18 '20 at 18:35
0

https://firebase.google.com/docs/auth/admin/custom-claims

Firebase Admin SDK allows you to define custom attributes on user accounts.

admin.auth().setCustomUserClaims(uid, {admin: true}).then(() => {
  // The new custom claims will propagate to the user's ID token the
  // next time a new one is issued.
});

When you are writing your rules, it is possible to check these custom attributes.

{
  "rules": {
    "adminContent": {
      ".read": "auth.token.admin === true",
      ".write": "auth.token.admin === true",
    }
  }
}

But as it is stated in the docs, you should consider these points:

  1. Use custom claims to store data for controlling user access only. All other data should be stored separately via the real-time database or other server side storage.
  2. Custom claims are limited in size. Passing a custom claims payload greater than 1000 bytes will throw an error.
Can
  • 1,646
  • 9
  • 13