Firebase, insecure rules

Question

I recently received an email from firebase telling me that the rules of my database (Firestore) are insecure so I changed them to the following:

rules_version = '2';
service cloud.firestore {
  match / databases / {database} / documents {
    match / {document = **} {
     allow read: if true;
    allow write: if request.auth.uid != null;
    }
  }
}

Before I had these rules:

allow read, write: if true;

After making the change, the emails keep coming back and I don't know what else to do. I already tried several of the following options given in this link but none of them works for what I need.

https://firebase.google.com/docs/rules/insecure-rules#firestore

I need authenified users to be able to read and create content. So use the rules that I put above.

I saw that in the email they send me it says that people can modify my database, is this referring to from the app, or does it mean that they can hack me or something?

Because the end of my app is that users can create content.

But I don't want someone to hack into my database and delete everything, is that possible?

Thanks

Answer 1

The emails are because the rules aren't really stringent. You should probably be using the following rule, that:

1. Allows unauthenticate users to read data
2. Allows authenticated users to create entries
3. Allows to update & delete entries that are only owned by themselves and not of others.

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /some_collection/{document} {
      allow read: if true
      allow create: if request.auth.uid == request.resource.data.author_uid;
      allow update, delete: if request.auth.uid == resource.data.author_uid;
    }
  }
}

Read this article for better understanding. You can also check when firestore flags rules as insecure over here. More importantly, this is the point to be emphasized.

Remember that Firebase allows clients direct access to your data, and Firebase Security Rules are the only safeguard blocking access for malicious users. Defining rules separately from product logic has a number of advantages: clients aren't responsible for enforcing security, buggy implementations will not compromise your data, and most importantly, you're not relying on an intermediary server to protect data from the world.

Sample rules:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userDoc} {
      allow read: if true
      allow create: if request.auth.uid == request.resource.data.id;
      allow update, delete: if request.auth.uid == resource.data.id;
    }

    match /posts/{postDoc} {
      allow read: if true
      allow create: if request.auth.uid != null;
      allow update, delete: if request.auth.uid == resource.data.user_id;
    }

    match /comments/{commentDoc} {
      allow read: if true
      allow create: if request.auth.uid != null;
      allow update, delete: if request.auth.uid == resource.data.user_id;
    }
  }
}

Answer 2

This case is mentioned in the documentation. Any authenticated user can write to your database and that also involves deleting data. You are using a recursive wildcard which gives them access to complete database.

Instead try rules that allow users to write their own documents only or something similar.

rules_version = '2';
service cloud.firestore {
  match / databases / {database} / documents {
    match /collectionName/{docId} {
     allow read: if true;
    allow write: if request.auth != null && request.auth.uid == docId;
    }
  }
}

Above example will allow users to edit documents where document ID is equal to their UID only.

If you wish to allow selected users to write (such as admin) then you can add a field namely admin and set it to true in user's document in users collection. Then you can read the document data as shown:

match /collection/{document} {
      allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
      allow read: true;
    }