I'm using Firebase anonymous auth to control access to my Firestore data without requiring the hassle of registration.
After reading many posts and looking up the documentation as best I can (I'm still learning), my understanding is
- Firebase Anonymous auth is not as secure as other Firebase auth options
- Anyone with the right skills could use my API key to create a UID granting access
- To mitigate this, we use rules (in this case Firestore rules)
So I created rules for all my collections, making some collections 'get' only:
match /collection/doc {
allow get: if request.auth != null;
}
Other collections where the document ID must match the UID:
match /collection/{uid} {
allow get, write: if request.auth != null && request.auth.uid == uid;
}
Which is great, and seems to work well when I tested it; however, there is one collection that will contain data that is 'get' only, but I consider sensitive (names and work phone numbers).
What I'm trying to understand is: Is it possible for anyone who gains access "with malicious intent" to obtain a list of all collections, and everything inside, thereby giving them the ability to go in and access sensitive documents that are 'get' only? As in:
allow get: if request.auth != null;
I'm using 'get' instead of 'read' because I heard that 'get' prevents a list query from being executed via the admin SDK.
My idea being that if they can't get a list of collections / documents, they won't be able to access the sensitive data because the path will be unknown to them. Or is this a naive assumption?
CodePudding user response:
Firebase Anonymous auth is not as secure as other Firebase auth options
Anonymous auth is just as secure as most other sign in methods, it just doesn't give you any knowledge about who the user is. But they still get a UID assigned to them by Firebase, which allows you to secure data access for that user.
With this rule you showed:
match /collection/{uid} {
allow get, write: if request.auth != null && request.auth.uid == uid;
}
A user can only read and write the document that matches with their UID. So no matter if they signed in anonymously or with another provider, they can only read/write their own document.
So these rules indeed don't allow any user to get a list of other user documents. Even if you allowed the list
operation (or the combined read
operation), a read operation for the entire collection would get rejected as the request.auth.uid == uid
condition requires that they only read their own document.