0

I have a very simple Firestore database for a game I creating. I have a User collection which has documents, each of which specifies a user's username, their email, and their high score.

I would like everyone to be able to read the high score and username's of everyone in the database, since I have a list that lists every user's high score and username.

However, I would only like individuals to be able to write the database (i.e. submit their own high score), if they are logged in.

Thus, I have the following security rules:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    } 
      match /Users/{document=**} {
      allow read: if true;
    }
  }
}

My question is, is this secure? I guess this means that technically a user with malicious intent could read the emails of every user. Is there a way to prevent this by somehow specify that only everyone should be able to read the highscore and username properties of each User document?

Also, this set up does prevent malicious users from writing to the database, correct (edit here: I guess this doesn't - I'm looking into this now by reading the docs here https://firebase.google.com/docs/firestore/security/rules-structure)

I'm not new to Firebase but I am new to it's security rules, since I haven't pushed an application to production before and would like to make sure I don't leave anything vulnerable, so any feedback/guidance here is appreciated.

Evan
  • 1,892
  • 2
  • 19
  • 40

1 Answers1

2

As I explained on your previous question, anyone can take the configuration data from your app, and call the Firebase APIs with that data.

is this secure?

Only you can determine whether your rules are correct for your use-case.

These rules allow anyone to read all documents in the /Users collection. In addition they allow any authenticated user to read and write all documents. If that is the use-case you want to support, the these are the correct rules for you.

So if you've enabled the anonymous authentication provider in Firebase Authentication, anyone can take you configuration data, write a minimal web page and call firebase.auth().signInAnonymously() and then read all user data with firebase.firestore().collection("Users").get().

Securing your database is going to be hard to learn in this question and answer style. I instead recommend you:

  1. Read the Firebase guide on security rules.
  2. Doug's video introduction to security rules.
  3. Watch the series Getting to know Cloud Firestore, and pay special attention to the episode on security rules.
  4. The video Unit testing security rules with the Firebase Emulator Suite and its follow up Intermediate topics in Firebase Security Rules.
  5. The pro-series episode How to build a secure app in Firebase.
  6. The article Patterns for security with Firebase: combine rules with Cloud Functions for more flexibility
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Yes, many thanks again for the answer this was very useful and I'm currently in the process of going through the documentation to find the correct configuration for my setup. Really appreciate you taking the time to answer here, have a good a one! – Evan Aug 17 '20 at 03:33