0

I've set up my Firestore rules like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
  
    ///Rules:
    ///Only the owner can modify their stuff under the Users collection     
    match /users/{uid} { 
      allow read, write, delete: if isOwner(uid) && emailVerified();
    }
    
    match /users/{uid}/groups/{groupID} { 
        allow read, write, delete: if isOwner(uid) && emailVerified();
    }
    
    match /users/{uid}/friends/{friendID} { 
        allow read, write, delete: if isOwner(uid) && emailVerified();
    }
    
    match /users/{uid}/notifications/{notifID} { 
        allow read, write, delete: if isOwner(uid) && emailVerified();
    }
    
    /// Functions ///
    function emailVerified() { 
      return request.auth.token.email_verified; ///returns true if email is verified
    }

    function isOwner(uid) {
      return request.auth.uid == uid
    }
  }
}

Basically, the idea is this: a user can only modify records in the sub-collections within their user document. The sub-collections are groups, friends, and notifications. The rules will check the incoming request.auth.uid and see if it matches the uid in users/{uid} before allowing them to modify any sub-collection.

I'm just now realizing that within the friends collection I'm storing the uid of those friends. So now I'm worried that there might be a security risk. If a user downloads their friends list, they will receive the uid of those friends. Could a malicious user then use the uid to impersonate that friend and modify their firestore records?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
whatwhatwhat
  • 1,991
  • 4
  • 31
  • 50
  • 1
    Knowing the UID of a user is not enough to impersonate them. See my answer here for more on that: https://stackoverflow.com/questions/33342681/is-it-safe-to-use-firebase-uid-as-qr-code-tag – Frank van Puffelen Mar 26 '23 at 18:12
  • 1
    For maintaining friendship relationships this structure allows an authentication user that anyone else is their friend. To make friendship bidirectional, you'll typically want to build in a confirmation step where the other UID must also add my UID to their list of friends. – Frank van Puffelen Mar 26 '23 at 18:15
  • @FrankvanPuffelen in that case I guess it all comes down to whether or not Firebase auth can be circumvented somehow. I haven't read anything online that there are any vulnerabilities, so that's good news on that front. I don't quite understand what you mean with the first sentence of your second comment. Right now I have Firestore triggers that make both users' friend records update according to how the relationship changes, so I'm assuming that is in line with what you're saying about bi-directional friendships. – whatwhatwhat Mar 26 '23 at 19:27
  • 1
    Sorry, that first sentence was mangled indeed: in your data structure any (authenticated) user can claim that anyone else is their friend. You typically want to only acknowledge the friendship once it's mutual, so once both user A has written the the UID of user B in their data **and** user B has written the UID of user A *their* data. – Frank van Puffelen Mar 27 '23 at 00:57
  • @FrankvanPuffelen ah right. You might have just saved my life. Thanks Puf! – whatwhatwhat Mar 27 '23 at 04:46

0 Answers0