Basic Firebase Security Rules

[Glenn Moseley]

Morning/Afternoon all,

I would like to run a scenario past you and ask for some advice regarding security rules.

I have an Angular app which is hosted through Firebase Hosting and uses Realtime Database and Firestore.

This apps purpose is for displaying information about an event. The information should be accessible by anyone at the event through the URL. The URL's are unique to each event.

When it comes to security rules on the the Realtime database and Firestore, would allowing read to all and blocking writes completely be sufficient or should I be looking to authenticate these users on entry and then building security rules around that user?

I keep getting alerts that I have unsecure rules and on top of that I want to understand this now to ensure that I don't have other actors driving up consumption costs.

I pondered logging each user in anonymously when they entered an event either through inputting and submitting an event code on the homepage, or through entering a url with an event code in the route. And then adding some data about the event they are focused on to their claims and building the security rules around providing access to the resources associated with the events they have in claims. Would that seem like a better option?

[Arthur Thompson]

Hi Glenn,

I think even if you want to allow reads you should specify the specific paths within RTDB and Firestore that can be read, this will block reads to anywhere else in your database.

As for limiting consumption driving up costs, I think activating App Check would be the right move for mitigating this type of abuse.

PS: Anonymous users were meant for short term use (like adding items to a shopping cart) to then be upgraded to a full fledged signed in user. So I don't think anonymous users are the right fit for your use case.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/452393fc-b164-4320-8e5f-de8ac4b22153n%40googlegroups.com.

[Glenn Moseley]

Thank you for those suggestions.

It did feel like overkill signing everyone in. I have enabled App Check already.

I will keep an eye on these rules. At the moment I don't have the need to restrict read access to any part of my database. But I understand that should that change the broad scope of the wildcard matching rule could be quite dangerous. For now, as long as I know the requests are coming through the app then I think that is sufficient.