Firebase rules allowing write when they shouldn't be

Question

I have the following database entry: "companies: 8":

I have the following database rules, which do not allow a simulated write of "companies: 8" to the database.

{
  "rules": {
      ".read": "auth != null",
      ".write": "auth != null",
        "companies": {  
              ".validate": "(data.exists() && (newData.val() === data.val() + 1)) || (!data.exists() && newData.val() == 0)" 
        }
  }
}

However, when I try to write "companies: 20" to the database with the Firebase Python SDK, which also is not allowed under these rules, it works:

In [1]: import firebase_admin

In [2]: from firebase_admin import credentials, db

In [3]: cred = credentials.Certificate('serviceAccountCredentials_dev_async.json
   ...: ')

In [4]: firebase_admin.initialize_app(cred, {'databaseURL': 'https://async-testi
   ...: ng.firebaseio.com/'})
Out[4]: <firebase_admin.App at 0x7fc50c00c080>

In [5]: ref = db.reference()

In [6]: ref.update({'companies': 20})

What am I doing wrong?

Answer 1

You are using the Firebase Admin SDK and it looks like you are initializing with the credentials for a service account. In this case, no security rules are applied, I think not even validation rules.

If there is a reason you must you the Admin SDK and want validation rules to be performed, authenticate with limited priveleges:

As a best practice, a service should have access to only the resources it needs. To get more fine-grained control over the resources a Firebase app instance can access, use a unique identifier in your Security Rules to represent your service. Then set up appropriate rules which grant your service access to the resources it needs.