Realtime database firebase

Question

I have rules on Firebase Realtime Database as follows:

{
  "rules": {
    ".read": "auth.uid !== null",
    ".write": false,
      "Prodotti per autocomplete":{
        ".indexOn": "Marca"
      }
  }
}

My intention is that it reads only those who are authenticated and it works, but mails arrive every day from Firebase telling me that the security rules are not set at their best and they suggest me to set the read like this:

".read": "auth != null && $uid === auth.uid"

The problem is that it doesn't recognize the variable $uid. Since I can't figure out how to manage this variable (for any big gaps I have), maybe some of you have some suggestions.

The data in the database is products and prices of products that I want to appear for all logged in users. It is not personal information. Should I store all the uids in the database so that when $uid is invoked it doesn't give an error? What is the "$" sign used for in this case?

score 2 · Answer 1 · answered Apr 27 '23 at 17:30

2

Providing full read access to your entire database to any authenticated user is a common, underestimated security risk. Signing in to Firebase is easily done by a single API call with your configuration data, and at that point anyone can read the entire database with a single call.

It also is very unlikely that your code ever reads the root of the database. And a simple rule: if your code doesn't do it, your rules shouldn't allow it. If your code queries Prodotti per autocomplete, you can move the read permission to that level:

{
  "rules": {
    ".write": false,
    "Prodotti per autocomplete":{
      ".read": "auth.uid !== null",
      ".indexOn": "Marca"
    }
  }
}

This will stop the emails from Firebase, but more importantly: it means that a malicious user must now know about the "Prodotti per autocomplete" branch before they can read it.

Even better would be to enforce the use of a query in your rules. Here again: if your code never reads the entire "Prodotti per autocomplete" branch, your rules shouldn't allow that.

answered Apr 27 '23 at 17:30

Frank van Puffelen

565,676
79
828
807

tnks i try to do this: `{ "rules": { ".write": false, "Prodotti":{ ".read": "auth.uid !== null", "Prodotti per autocomplete":{ ".read": "auth.uid !== null", ".indexOn": "Marca" } } } }` and i hope it works – Fabio Murtas Apr 28 '23 at 12:49
1

That nested `".read": "auth.uid !== null",` is meaningless, as the same permission from the level above already cascades downwards. See https://firebase.google.com/docs/database/security/core-syntax#read_and_write_rules_cascade --- Aside from that, it's the same as I answered, so yeah... that'll work, stop the warnings, and be a good first step against abuse. – Frank van Puffelen Apr 28 '23 at 23:28
This evening the usual warning arrived, I'll still see tomorrow if it comes back .. in case I'll have to find another solution .. let's hope .. thanks for now – Fabio Murtas Apr 29 '23 at 00:15
These rules should not trigger the email, but it it keeps coming anyway you can also disable it was shown here: https://stackoverflow.com/questions/55388991/stop-firestore-warning-that-everyone-can-read-data – Frank van Puffelen Apr 29 '23 at 04:15
nothing the mails continue to arrive, I will deactivate the alerts thanks anyway – Fabio Murtas Apr 29 '23 at 17:46

Realtime database firebase

1 Answers1