29
votes

I recently received an email from firebase telling me that my realtime database has insecure rules. These are the rules that I have set:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
 }
}

Is this not a secure rule?

Email/Password is the only sign-in method that I have enabled.

2
It's may be because you're allowing access to all the data when the user logged in. You should only allow the logged user and common data but not all data.MuruGan
you have to specify tree level rules also.MuruGan
those rules seem fine, did you checked that the email is from that project?Gastón Saillén
@MuruGan I only have one tree and all users, as long as they are authenticated, are allowed to read and write to this tree. That's why my rules are written that way.F0r3v3r-A-N00b
Recently firebase team found that, so many projects have security issues following that why they sent you the mail. Try to contact firebase support team for further detailsMuruGan

2 Answers

62
votes

firebaser here

I'm sorry if the email wasn't very explicit about what isn't secure about those rules. Securing your user's data is a crucial step for any app that you make available, so I'll try to explain a bit more about how that works below.

The (default) rules you have allow anyone who is signed in to your back-end full read/write access to the entire database. This is only a very basic layer of security.

On the one hand this is more secure than just granting everyone access to your database, at least they have to be signed in.

On the other hand, if you enable any auth provider in Firebase Authentication, anyone can sign in to your back-end, even without using your app. Depending on the provider, this can be as easy as running a bit of JavaScript in your browser's developer console. And once they are signed in, they can read and write anything in your database. This means they can delete all data with a simple command like firebase.database().ref().delete().

To make the data access more secure, you'll want to more tightly control what each signed-in user can do. For example, say that you keep a profile with information about each user under /users. You might want to allow all users to access these profiles, but you definitely want users to only be allowed to modify their own data. You can secure this with these rules:

{
  "rules": {
    "users": {
      ".read": true,
      "$user_id": {
        // grants write access to the owner of this user account
        // whose uid must exactly match the key ($user_id)
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

With these rules, everyone (even non-authenticated users) can read all profiles. But each profile can only be modified by the user whose profile it is. For more on this, see the Firebase documentation on securing user data.

In addition to ensuring that all access to data is authorized, you'll also want to ensure that all data stored is valid to whatever rules you have for you app. For example, say that you want to store two properties for a user: their name, and their age (just for the sake of the example, in reality you'd probably store their date-of-birth instead). So you could store this as something like:

"users": {
  "uidOfPuf": {
    "name": "Frank van Puffelen",
    "age": 48
  }
}

To ensure only this data can be written, you can use this rules:

{
  "rules": {
    "users": {
      ".read": true,
      "$user_id": {
        ".write": "$user_id === auth.uid",
        ".validate": "data.hasChildren('name', 'age')",
        "name": {
          ".validate": "data.isString()",
        },
        "age: {
          ".validate": "data.isNumber()",
        },
        "$other: {
          ".validate": false
        }
      }
    }
  }
}

These rules ensure that each user profile has a name and age property with a string and numeric value respectively. If someone tries to write any additional properties, the write is rejected.

Above is a quick primer on how to think about securing your (user's) data. I recommend that you check out the Firebase security documentation (and the embedded video) for more.


Update: since May 2021 you can also use Firebase App Check to restrict access to calls just coming from your web site or app. This is another, quick way to reduce the abuse of your database. This approach is not foolproof though, so you'll want to combine App Check for broad protected, with the security rules for fine-grained control.

0
votes

You can also mute alerts by visiting the link at the bottom of the email.

https://console.firebase.google.com/subscriptions/project/<YOUR_PROJECT_NAME>

enter image description here