1

I have users, registered with the EMail function of Firebase Authentication. Only authenticated users should write to my Firestore database.

My rule (from the documentation):

allow write: if request.auth != null;

allows access to every request where there is an non-null auth-object. This doesn't seem to be very secure. As you could just make a request with any auth = {something: "hacker"} object.

So, to avoid this problem. How do I check if the given request.auth.uid is actually the one from the Firebase Authentication service?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Martin Müsli
  • 1,031
  • 3
  • 14
  • 26
  • You may be interested by this answer: https://stackoverflow.com/questions/66185274/firebase-email-saying-my-realtime-database-rules-has-insecure-rules/66185640?stw=2#66185640. – Renaud Tarnec Jun 25 '21 at 15:31

2 Answers2

2

The request.auth variable is populated by Firebase automatically on the server, based on the ID token that is sent along from the client with each request. Minting an ID token for a given Firebase project, requires that you have access to the administrative credentials for that project.

This means that, as long as you ensure that you don't share the administrative credentials for your project publicly, nobody can inject their own information into the ID token, and this the request.auth object in your database is actually secure from tampering.

The rule in your question limits who can write data, as the user will need to be signed in to Firebase Authentication to be able to write. You'll typically also want to limit what the user can do, both by controlling the access (for example, only letting them access their own data), and by validating the data that they write.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Makes sense to me. I got a little bit worried, because in the Firebase rules playground you can edit your custom request. Everytime i gave an empty auth-object, Firebase still granted access. – Martin Müsli Jun 25 '21 at 13:49
  • 1
    The rules playground runs in the Firebase console and can only be accessed by collaborators on the project. As such it is an example of an environment that has access to the administrative credentials of the project. – Frank van Puffelen Jun 25 '21 at 14:03
1

These set of rules worked for me.

service cloud.firestore {
 match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}
Kundan
  • 1,754
  • 16
  • 37