I am using the real-time DB ONLY for counting online/active users in real-time mode.
The simple DB structure is literally this:
"user-states": {
"user-id-1": 1,
"user-id-2": 2,
....
}
My current rules:
{
"rules": {
".read": "auth.uid != null",
".write": "newData.exists() && auth.uid != null",
}
}
I can't think of better rules for the simplest DB structure given above. If there'll be a breach in the Firebase project, it'll be a no problem to the whole system. Delete or alter the data, no problem, since it gets updated in real-time.
If I made the rules above correct, then is it possible to just silence the warning emails about the "insecure" rules?
CodePudding user response:
While your current rules do their job, they don't protect your database from abuse, which is why they are marked insecure and you get the alert. These alerts are important and there is no way to disable them other than apply an email inbox filter and send them straight to trash (highly not recommended).
As some examples of attack vectors, you could do the following with your current structure:
- Empty
/user-states
and fill with garbage - which may break your client-side logic - Change a user's state to something unexpected (e.g. non number, invalid enum value) - which may break your client-side logic
- Change another user's state without permission
- Write megabytes of data to the database - which may break your client side logic
Because your structure seems to be /user-states/$uid = <numeric status>
, you can at least tighten your rules accordingly to:
{
"rules": {
"user-states": {
// any signed-in user may read states
".read": "auth.uid != null",
"$uid": {
// only the concerned user may update their own state
".write": "newData.exists() && auth.uid == $uid",
// state must be numeric
".validate": "newData.isNumber()"
}
}
}
}
If these are too restrictive, you could also use the following which is marginally better than your original rules:
{
"rules": {
"user-states": {
// any signed-in user may read states
".read": "auth.uid != null",
// any signed-in user may update the state of another user
".write": "newData.exists() && auth.uid != null",
"$uid": {
// state must be numeric
".validate": "newData.isNumber()"
}
}
}
}
Note: You could further restrict the new state value to a handful of values rather than just "is a number".