0

After finishing development for my application, I realised that I had left the insecure rules on as it was my first major project with Firestore and I had to fix some issues and I changed the rules to allow me to use it. When I went to turn it off, the whole application stopped working as it only accesses it through these rules. I have read a lot of responses here and am aware this question has been asked many times before but I am truly stuck and have no idea how to proceed.

Currently there is no signup required as it is on a shopify app - store owners must be signed in to use it and so the database has an area such as /users/ where each entry is the store name and holds it's associated data (so people do not need accounts to use it). There is also an exterior portal on Retool that edits all of these records on the database - I believe this complicates things as I feel like two sets of rules are required.

My current rules:

// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

I am now aware that store owners could wipe or steal the data of other shop owners and so far have set up daily backups, but haven't been able to fix this issue. I would like to know if it is possible for me to set the database up in such a way that allows store owners to still read/write to their sections but also the people using the Retool portal that interacts with db to have access.

I have no idea how to proceed and any help would be sincerely appreciated. I saw something saying about limiting users to using an extra layer of server's REST api but have no idea how I would go about implementing this and if I would have to change rules.

Ronnie Lightweightbaby Coleman
  • 127
  • 6
  • This question is way to broad to be answered as is. It's also a bit unclear as to how the app is set up. You mentioned that there is no signup so I assume that means for customers. However, you also mentioned *store owners must be signed in* which would indicate you're using authentication. If that's the case what's preventing you from writing rules that only allow a shop owner to modify their own data? – Jay Mar 02 '21 at 18:44
  • @Jay in all honesty I have no idea how rules are written, although even if they are authenticated through Shopify being logged in, are they not able to hack it in some to write over the db? It if course is also protected by an API but a developer might leak that key and thus exposing the db – Ronnie Lightweightbaby Coleman Mar 03 '21 at 09:32
  • **I have no idea how rules are written** is an important point. If you don't know how to write rules, you will need to learn in order to secure your apps data. The Getting Started Guides [Secure data in Cloud Firestore](https://firebase.google.com/docs/firestore/security/overview) are pretty good and have a few examples. There are also dozens of questions here related to rules and there are tutorials available on the net as well as youtube videos. That's where you need to start. **leak that key** has nothing to do with overwriting a database. A key is not secure nor is is supposed to be. – Jay Mar 03 '21 at 17:25
  • 1
    See [Is it safe to expose Firebase apiKey to the public?](https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public) for more information about the API key. – Jay Mar 03 '21 at 17:27
  • Could you share your Firestore structure? Indeed you need a couple of more rules, however in order to give you a better suggestion I would require to know how your tables structure look like – Emmanuel Mar 05 '21 at 00:06
  • @Emmanuel so there is a main area called stores, which has entries in (the name of the store) , and within each is associated data (customer collections, fields set by store owner). They need to be able save and read to their own. The portal is to modify the collections within a store, once they have been updated by a human. The portal can access all stores. Thanks Emmanuel , hope that is clear enough if not I can try to explain in a different way. – Ronnie Lightweightbaby Coleman Mar 05 '21 at 08:50
  • Please edit your question to add the structure the of your Firestore database so we can replicate your Firestore rules and hopefully find the issue. – Emmanuel Mar 11 '21 at 15:21

0 Answers0