CODEWITHSUNDEEP
firebasefirebase-realtime-databasefirebase-security
Medo Almouhtadi
Medo Almouhtadi

Reputation: 100

Importance of security rules in firebase

If rules are implemented in the app code itself and compared to the data children in the database, why do we still need security rules?

Case example: The host of a group chat can kick users out. How do we know he is the host and can kick them out? Well, by adding a child where it specifies that he IS the host of the groupchat and make sure that data is known to all group chat members. (it could be his unique "displayName" as a value to the key "Host")

From the case example above, why would one want to add a security rule to this? There is already a "logic" rule used by the app in communication with the database "host" child.

I am fairly new to security rules. I did some reading but reached no answer for my question. I apologise if something is obvious here.

Upvotes: 1

Views: 111

Answers (1)

Frank van Puffelen
Frank van Puffelen

Reputation: 598728

In a traditional three-tier architecture you'd implement the application logic on the server, where you can rest assured that it's the code you wrote that it accessing the database. When using a backend-as-as-service though, you have only two tiers: you client-side application code accesses the database directly.

To allow the app to talk directly to the database, the configuration data necessary to access your Firebase project is kept in the app itself. But that also means that a malicious user can copy the configuration data from your app and make API calls against your project with their code.

If you don't implement security rules, the malicious user can (and thus will) do whatever they want to your data, including reading the entire database, and possibly overwriting parts or all of the data. It really only takes a few lines of JavaScript code to wreak havoc on an unprotected database.

In this two-tier system the security rules of your database function as its server-side application logic. They enforce the rules you want to apply to your database, and nobody can bypass them using the client-side SDKs.

Since you're new to using security rules, I highly recommend checking out the video on this documentation page.

You'll typically want to combine security rules with the new Firebase App Check feature, to both reduce broad abuse and have fine-grained access control.

Upvotes: 4

Related Questions