0

I am using the real-time DB ONLY for counting online/active users in real-time mode.

The simple DB structure is literally this:

"user-states": {
    "user-id-1": 1,
    "user-id-2": 2,
    ....
}

My current rules:

{
  "rules": {
    ".read": "auth.uid != null",
    ".write": "newData.exists() && auth.uid != null",
  }
}

I can't think of better rules for the simplest DB structure given above. If there'll be a breach in the Firebase project, it'll be a no problem to the whole system. Delete or alter the data, no problem, since it gets updated in real-time.

If I made the rules above correct, then is it possible to just silence the warning emails about the "insecure" rules?

Glenn Posadas
  • 12,555
  • 6
  • 54
  • 95
  • Also see this answer I gave on a similar question yesterday: https://stackoverflow.com/questions/69510018/firebase-your-realtime-database-has-insecure-rules/69510132#69510132 – Frank van Puffelen Oct 10 '21 at 22:57

1 Answers1

2

While your current rules do their job, they don't protect your database from abuse, which is why they are marked insecure and you get the alert. These alerts are important and shouldn't be ignored without good reason. As @puf mentions in the comments below these alerts can be disabled, but I would not recommend it for your application.

As some examples of attack vectors, you could do the following with your current structure:

  • Empty /user-states and fill with garbage - which may break your client-side logic
  • Change a user's state to something unexpected (e.g. non number, invalid enum value) - which may break your client-side logic
  • Change another user's state without permission
  • Write megabytes of data to the database - which may break your client side logic

Because your structure seems to be /user-states/$uid = <numeric status>, you can at least tighten your rules accordingly to:

{
  "rules": {
    "user-states": {
      // any signed-in user may read states
      ".read": "auth.uid != null",

      "$uid": {
        // only the concerned user may update their own state
        ".write": "newData.exists() && auth.uid == $uid",
    
        // state must be numeric
        ".validate": "newData.isNumber()"
      }
    }
  }
}

If these are too restrictive, you could also use the following which is marginally better than your original rules:

{
  "rules": {
    "user-states": {
      // any signed-in user may read states
      ".read": "auth.uid != null",
    
      // any signed-in user may update the state of another user
      ".write": "newData.exists() && auth.uid != null",
    
      "$uid": {
        // state must be numeric
        ".validate": "newData.isNumber()"
      }
    }
  }
}

Note: You could further restrict the new state value to a handful of values rather than just "is a number".

samthecodingman
  • 23,122
  • 4
  • 30
  • 54
  • 1
    "These alerts are important and there is no way to disable them" The alerts can be disabled from the Firebase console by clicking the bell icon () at the top right, clicking the settings icon (⚙️) from there, and selecting the project in question. Also see https://stackoverflow.com/questions/55388991/stop-firestore-warning-that-everyone-can-read-data – Frank van Puffelen Oct 10 '21 at 22:59