Security of firebase realtime database rules

0
votes

In my application I use custom claims to assign roles to users. The admin can change the roles of people with a snazzy toggle button (using a cloud function), so (s)he needs to see a list of all of the users... But on the other hand when a user registers they need to be added to the users database collection. This collection isn't used to authorize anything obviously, but it's just so that the admin can change the roles for the users in that collection. So the admin needs to be able to read the table and everyone needs to be able to write in the collection.... So my rules in this regard look like this:

    {
      "rules": {
        "users": {
          ".read": "auth.token.isAdmin === true",
          ".write": true
        },

I have checked in the redux store and it seems to work. I call the action creator fetching the users in a component and access it when I'm a regular user and I see that the users node in redux store remains empty... When I'm logged in as admin and go to the component I see that the users node is filled... So it seems to work, but I want to be sure this is a safe way of working, because having everyone writing to the table just feels wrong :-) But like I said, the table itself isn't used to authorize anything, so perhaps it's ok.....

Thanks for any opinions on this :-)

With kind regards, David

1
reactjsfirebasefirebase-realtime-databasefirebase-security

1 Answers

0
votes

What you have is a fairly common pattern: everyone can write a request, but only authorized user can read the requests.

There is no inherent security risk of leaking information in this pattern, as long as you ensure only the authorized user had isAdmin == true.

But right now any user can write whatever they want to the /users node. Which also means that any user can delete all existing data with a simple: firebase.database().ref("users").remove() call. That is probably something you'll want to protect against.

How to do that depends on how and what the users write to /users. For example, if they write their own user profile under their and you're using their UID as the key, you could ensure that users can only write their own profile with:

{
  "rules": {
    "users": {
      ".read": "auth.token.isAdmin === true",
      "$uid": {
        ".write": "auth.uid === $uid"
      }
    }
  }
}

As said, this depends on the actual data you write though, so you'll want to check the Firebase documentation on securing data access and implement that for your use-case.

One more thing I'd consider is to restrict what users can write to this node in the database. For example you could use a .validate rule to restrict the values they can write, or even a .write rule to ensure the user only writes their own data.