2

I am working with Google Firestore in native mode and CRUD'ing data within it using the "cloud.google.com/go/firestore" api in Go. Access to the data is wide open as long as you know the project id and using the Firestore API on a server. I don't want to try the rules until I figure out how to secure the data from server attacks that. Again, all the API requires is the project id to access the data so I need to lock that down firstly before I move any further. Rules are only for mobile/web clients from what I read and Server side clients completely bypass the rules. Please help. I do not want to use the Firebase API because attackers can still use the Firestore api to access the data.

RamelHenderson
  • 2,151
  • 2
  • 13
  • 12
  • If you are not using Firebase and its security rules at all, then your database is not "wide open". If you are using Firebase rules, then you can simply write them to reject all "wide open" access and allow access only from backend clients that are using service account credentials that you allow. If you are observing something otherwise, then edit the question to show the steps that anyone can take to set up their Firestore database to be "wide open" outside of expectations. – Doug Stevenson Dec 24 '21 at 03:01

2 Answers2

3

It's unclear from the limited information in your question but, your Firestore database is not open to anyone with the Project ID.

The service is only accessible to any thing (human|machine) that has valid credentials. Either humans with e.g. Gmail accounts or Service Account key holders.

In either case, only identities that you've explicitly added to the project will be able to access its resources and then only those with the appropriate IAM roles|permissions.

Google provides an elegant facility called Application Default Credentials (ADCs) that simplifies authenticating clients.

I suspect that your code is using ADCs to authenticate you to the project|service.

DazWilkin
  • 32,823
  • 5
  • 47
  • 88
  • The database is only "wide open" if the project has Firebase security rules deployed that explicitly allow it. This is not the case by default, but only by explicit configuration. The OP has not said what their configuration is, so we don't know anything for sure. – Doug Stevenson Dec 24 '21 at 03:03
  • Thank you Daz, it was the ADC after all. I swear I was going insane but only after trying my code on another machine did I get the message "failed to create client: google: could not find default credentials..." So yes, access is not open, it was moreso a configuration step that I missed. – RamelHenderson Dec 24 '21 at 09:07
1

Access to the data is wide open as long as you know the project id and using the Firestore API on a server.

If that is a concern, consider disallowing all access in the Firebase security rules for your Firestore database.

Also have a look at my answer here to understand why sharing your project ID is not a security concern, and in fact is necessary if you want to allow direct access from client-side devices: Is it safe to expose Firebase apiKey to the public?. If you don't want to allow direct client-side access, closing down the security rules (as they are by default, unless you choose test mode when creating the database) is the way to go.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807