Configuring Firebase Realtime & Firestore Rules Properly
There have been reports that Firebase Database and FireStore are pretty insecure.
The truth is Firebase as a platform is one of the most secure platforms I have used; however most customers do not apply adequate security rules around the data, which can lead to a massive security breach.
What needs to be done?
Simple, secure everything!
Firebase Realtime Database Rules
- The below snippet for Firebase Realtime database does not allow a write but allows read:
{
"rules": {
".read": true,
".write": false
}
}
2. A more secure version, only allows read if user is authenticated
{
"rules": {
".read": "auth != null",
".write": false
}
}
Now Firebase has rules that go at a document level (json path). More information is available here: https://firebase.google.com/docs/database/security/user-security
Firebase Firestore Database Rules
service cloud.firestore {
match /databases/{database}/documents {
match /class/{userId} {
allow read;
}
match /team/{userId} {
allow create: if request.auth.uid != null;
}
match /employee/{userId} {
allow read;
}
match /dramatic/{catId} {
allow write;
}
match /library/{userId} {
allow read;
}
}
}
In the above example, you can only read class and employee databases. You can only create new users in team, provided the access is authenticated. The permissions — list, get , delete or update are not allowed on the documents in the team databases as it is not mentioned.
The database dramatic only allows write access to users who are not signed in. Additional rules can be applied as per this document → https://firebase.google.com/docs/firestore/security/rules-conditions
Note : Do yourself a favor, please use the Rules Simulator before applying the rules in production.