I have a mobile application with the Firebase database. In the application, the customer orders products through the mobile App, and for now I have not added the need to register to order. The store receives the orders in the web panel and answers the customer. Well, I created some default rules, but Google has already told me that my rules are insecure and I must change them.
// In this way the orders arrive from the mobile App to the database, but it is not secure
service cloud.firestore {
match / databases / {database} / documents {
match / {document = **} {
allow read, write: if true;
}
}
}
I have changed them:
// In this way the orders made from the App do not reach the database
service cloud.firestore {
match / databases / {database} / documents {
match / {document = **} {
allow read: if true
allow write: if request.auth.uid == request.data.author_uid
}
}
}
I've read the Firebase documentation and answers on this site on the topic of Firebase rules, but I can't figure out the correct way to write my rules.
With the rules configured in the first way, the application works, but they are not secure.
When I change them to the second option, the mobile application does not send the orders to the web panel of the store, since it is not registered.
How should I configure my rules so that they are safe and at the same time the user can place orders?
CodePudding user response:
It's is recommended to allow read/write access to your users until they are authenticated. If you openly allow your users then It will show you warnings.
Replace your rules with the given one -
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}CodePudding user response:
These rules are insecure because your are allowing any authenticated user to read/write any part of your database. match /{document=**} is a recursive wildcard which applies the rule to all documents and all it's sub-documents.
Assuming you have a users collection and an orders collection like this:
users -> {userId}
(col) (doc)
orders -> {orderId}
(col) (doc)
You can add these rules:
// In this way the orders made from the App do not reach the database
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, write: if request.auth.uid === userId;
}
match /orders/{orderId} {
allow read, write: if request.auth.uid === resource.data.userId;
}
}
}
These rules will allow the user who created that order only to read/write the order. You would have to store the userId in a field in order document (author_id in your example).
When I change them to the second option, the mobile application does not send the orders to the web panel of the store, since it is not registered.
That's because the rules expect the user to be logged in via Firebase Auth.
I have not added the need to register to order.
That's where Firebase Anonymous Auth comes handy. You can create a new anonymous user which does not require any credentials from user but will create a user in Firebase Auth with an UID which can be used in Firestore document and securely store user's orders.
When a user is about to finalize an order, you can convert anonymous account to a permanent account. This is highly recommended because if the user logs out of their anonymous account by any means including explicit sign out or uninstalling app, the same account (with that UID) can never be recovered.
Do note that you can also structure the database as shown below:
user -> {userId} -> orders -> {orderId}
This way you might not need to store userId as a field in every order document.