I'm coding a website based on Firebase. I have to store documents in which the access will be shared by 2 different users. To do that I created a rule to allow read access to the users with UID specified in the document. I'm concerned that revealing the UID to the other part, an attacker could access victim's information in other collections that are restricted by UID. Imagine the next scenario: I know the UID of another user (the victim) in the same Firestore project, but the data I want to access is protected by a rule that allows to read/write only to the user with that UID. The attacker has non-administrative privileges (neither have access to the admin SDK keys). Could the attacker manipulate the headers (or any other data) sent to Firestore to access the information stored in that particular document?
Asked
Active
Viewed 18 times
0
Frank van Puffelen
- 565,676
- 79
- 828
- 807
user3169670
- 1
- 2
-
Do you use Firebase Auth? – Renaud Tarnec Oct 26 '20 at 13:48
-
Yes, I'm using Firebase Auth @RenaudTarnec – user3169670 Oct 26 '20 at 13:51
-
There is no way to impersonate the `request.auth` variable in security rules from the client-side Firebase SDKs or APIs. The only way to do this is through Firebase's server-side Admin SDKs, which already have full administrative access anyway. – Frank van Puffelen Oct 26 '20 at 14:36