0

I am trying to make a Trello-inspired app using React and Firestore. I'm now doing the feature where users on the board will invite or add others users.

The problem is when users are looking for other users, it is done on the frontend. My security rule allows reading of the users collection if the user:

allow read: if request.auth != null

The part where I query the users, trying to see if the email address or name matched

try {
    const matchedUsers = []
    const queryUsers = query(
        collection(db, 'users'),
        where('nameArray', 'array-contains', matchedUser)
    )
    const querySnapshot = await getDocs(queryUsers)
    querySnapshot.forEach((doc) => {
        const userObj = {
            id: doc.data().userId,
            name: doc.data().name,
            photo: doc.data().photo,
        }
        matchedUsers.push(userObj)
    })
    setUsers(matchedUsers)   
} catch (err) {
    console.log(err)
}

As you can see there, it seems like I'm letting other users read other users' documents in the collection which will be problematic because my user doc contains email address too. I'm thinking that anyone can change the frontend code and get the email address of other users. Is my security rule for reading the users collection wrong? Because I know that if a security rule allows access or allow reads, then the user will have access to the entire document.

I want to know the best practices for doing this. I am new to the backend or database, I am just a newbie trying to create personal projects.

I found a suggestion from firestore Read only for specific fields but I have yet to try this

I'm thinking if I can do this, making the email a private subcollection since I only need the name or the userId. I really dunno if I'm doing the right thing or if my security rule request.auth != null is fine.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
RC Minerva
  • 3
  • 1

1 Answers1

0

Is my security rule for reading the users collection wrong?

That is hard for us to say. Your security allows everyone who is signed in to Firebase Authentication to read all users (or whatever match you've defined that rules on).

If that is not what you want, you'll have to be explicit about who can read what data from your database, and implement that both in your JavaScript code and in your security rules.

For example, if you want to enforce where('nameArray', 'array-contains', matchedUser) on the server, you will have to find a way to implement it in your rules. For what you can do there, I recommend reading the documentation on securely querying data

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • thank you for your response. I read that one but I still don't find the answer to my question. I dunno how can I avoid the fact that anyone can change the frontend code when they query, they can try accessing the email address too which is in the user doc, within the users collection. Should I just do the [read only specific fields] (https://firebase.google.com/docs/firestore/security/rules-fields#allowing_read_access_only_for_specific_fields) or should I change my data structure Do you have any tips? Please help this little creature. Thank you – RC Minerva Nov 17 '22 at 01:09
  • Access to a data from Firestore is always to an entire document. There is no way to expose to allow someone access to only some of the fields, and not to the others. If you want to allow access to some data and not to other data, you'll have to split that data across multiple documents. Also see https://firebase.google.com/docs/firestore/solutions/role-based-access and https://stackoverflow.com/a/46590877 – Frank van Puffelen Nov 17 '22 at 02:35
  • Thank you Mr. Puffelen – RC Minerva Nov 18 '22 at 21:53