0

I have edited the rules in my firebase real-time database as follows:

{
  "rules": {  
    "poyntkds": {
      "kdsOrderStatus": {
        "$uid":{
          ".read":"$uid === $uid",
          ".write":"$uid === $uid",  
        },
        ".indexOn": ["id", "forDate"]
      }
    }
  },   
}

I think by doing this I am allowing only the particular merchant($uid) to have access to write/read his data. But still, I am getting emails that the firebase rules are not secure. Is there a better way to improve the security for my database?

enter image description here

Mohit Chandani
  • 101
  • 1
  • 12

1 Answers1

1

"$uid === $uid" this will always be true because it just checks if the key of data a user is trying to access is equals to itself and hence it's insecure. If you are trying to check if that key is equal to user's UID then try the following rules:

{
  "rules": {  
    "poyntkds": {
      "kdsOrderStatus": {
        "$uid":{
          ".read":"$uid === auth.uid",
          ".write":"$uid === auth.uid",  
        },
        ".indexOn": ["id", "forDate"]
      }
    }
  },   
}

These rules will allow read/write only when $uid is same as user's UID and hence are secure. You can read more about security rules in the documentation.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
  • I am not using auth login of firebase so will the rules still work? I am using my own login function and just saving the data in the firebase. – Mohit Chandani Apr 23 '22 at 15:41
  • 1
    @MohitChandani no, the `auth` will be null in that case. Checkout [this answer](https://stackoverflow.com/q/68409757/13130697) for more info – Dharmaraj Apr 23 '22 at 15:44
  • I have a doubt about how can "$uid === $uid" always be true because this uid I am generating by the system randomly and even if someone else tries to delete/modify the data they can write his own data only. – Mohit Chandani Apr 25 '22 at 07:02
  • 1
    You're essentially comparing `"hello" === "hello"`, which is always gonna be true. "this uid I am generating by the system randomly" I'm not sure what that means though, so it's hard to say how to secure your app based on the current information. You might want to edit your question to show the code that accesses the database, and how that code satisfies the security rules. – Frank van Puffelen Apr 25 '22 at 19:40
  • @FrankvanPuffelen I have attached the screenshot of DB and this $uid will be unique for each user and each time someone tries to make some edit it will be done in his tree only. – Mohit Chandani Apr 26 '22 at 11:04
  • @MohitChandani what he meant was `$uid` is a wildcard. So if a user is trying to read `/poyntkds/kdsOrderStatus/1234` then value of `$uid` would be `1234`. Then `"$uid === $uid"` is essentially `1234 == 1234` that is true always. – Dharmaraj Apr 26 '22 at 11:26
  • @Dharmaraj Got it! – Mohit Chandani Apr 26 '22 at 16:10