getting emails from Firebase stating my project has insecure rules

1
votes

Have 2 apps which are in one project in Firebase. I have tried different rules by searching firebase but either they caused issues or they didn't work.

The rules I have set in the project are as follows:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null",
    "DriversOnline":{
      ".indexOn":["g"],
    },
      "Requests":{
      ".indexOn":["driver"]
    }
  }
}

The email I am receiving from firebase states:

[Firebase] Your Realtime Database 'project_name' has insecure rules

We've detected the following issue(s) with your security rules: any logged-in user can read your entire database any logged-in user can write to your entire database

Without strong security rules, anyone who has the address of your database can read / write to it, leaving your data vulnerable to attackers stealing, modifying, or deleting data as well as creating costly operations.

I am not sure what else I can do, as I want the app to be able to write and read to/from the database.

Any ideas?

1
firebasefirebase-security
What part of the email don't you understand? You need to restrict what users have access to. - SLaks
I understand the email, I just don't know what to restrict the users to. My app depends on reading and writing to the database, my users upload photos and files to the database, etc... I am just not sure what I need to restrict the users access to? - LizG
Are there any snippets you can provide to help me secure or restrict the users from either uploading images or reading/writing what is specified in my code to this db? - LizG
That depends entirely on how you want your data to work. But do you really want anyone to be able to see & delete anyone else's photos? - SLaks
It all depends on your structure. Basically what you need to do is ask yourself what individual user need to be able to read and where they need to be able to write. You say users upload photos and files, are these photos and files public to every authentified user? If yes that might be ok except that you are sharing the root of the db like this which means that all sub path will be accessible. Then let say it's not and user with UID X stores his files and photos to path .../{UID}/Photos ... then you would protect that path with something like ".read": "$uid === auth.uid". - Simon Cadieux

1 Answers

1
votes

If you put User photos and files under {uid}/... then you can protect the path like this:

    {
      "rules": {
        "$uid": {
          ".read": "$uid === auth.uid",
          ".write": "$uid === auth.uid",
          }
       }
   }

Doesn't necessary need to be at the root you could have other rules for other paths.