0

For my gaming app, I have set the firebase database rules as follows

{
  “rules”: {
    “.read”: “auth != null”,
   “.write”: “auth != null”
  }
}

The nature of the game is user has to input data to the database. I mean the authenticated users.

All the players at that time will input data to the same directory. If I secure the rules other than the above, users cant post any input, so the game cannot be played. App allows user to post data only under certain circumstances and they cannot update any data as they like. the code does n't all that. But google keeps warning about the insecure rules. My question is Can auth user update database from some other source other than from my app?. Thanks.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
hrm
  • 3
  • 2
  • Hi frank thanks for your message. Sorry I am very new to stackoverflow. Frank I am still confused how an auth user can alter the database if the code in the app doesn't let them to do any action as they wish. The code controls what they can do and what they cannot. thanks for your time. Can auth user update database from some other source other than from my app?. – hrm Oct 10 '21 at 15:31
  • Any user can create their own code (e.g. a small web page, or even in a site like jsbin), take the configuration from your application, and then use that config with their own code. Say you have anonymous auth enabled, they could run this simple two-line script to wipe your entire database: `await firebase.auth().signInAnonymously(); firebase.database().ref().set(null);` – Frank van Puffelen Oct 10 '21 at 15:59
  • Okay. I got it. Thanks for your time. I couldn't up vote as I don't have enough reputation. – hrm Oct 11 '21 at 02:34

1 Answers1

0

That a user needs to be able to read all data in the database, doesn't mean they need to be able to read the root of the database.

That a user needs to be able to write to the database, doesn't mean they need to be able to write to the root of the database.

In both scenarios your code probably doesn't read the root, and it definitely doesn't simply write to the root - as that would overwrite the data from the other users.

Your rules should allow exactly how you code accesses the data, and nothing more. This is known as the principle of least privilege - and is a common practice in securing systems.

Also see:

Finally I recommend checking out Firebase App Check too, which drastically reduces the chances of abuse from users that use your configuration data but not your code.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807