Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Email: [Firebase] Client access to your Cloud Firestore database expiring in X day(s)

I got an email that indicates I was developing in "test mode", but that it left my database completely open to the internet. The default rules I initially accepted look like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // This rule allows anyone on the internet to view, edit, and delete
    // all data in your Firestore database. It is useful for getting
    // started, but it is configured to expire after 30 days because it
    // leaves your app open to attackers. At that time, all client
    // requests to your Firestore database will be denied.
    //
    // Make sure to write security rules for your app before that time, or else
    // your app will lose access to your Firestore database
    match /{document=**} {
      allow read, write: if request.time < timestamp.date(2019, 12, 14);
    }
  }
}

What needs to be done to satisfy the request of this email?

like image 529
Doug Stevenson Avatar asked Nov 15 '19 03:11

Doug Stevenson


4 Answers

The security rules shown here are a departure from the previous default rules that were much more permissive. The idea with this rule:

match /{document=**} {
  allow read, write: if request.time < timestamp.date(2019, 12, 14);
}

Is that you get unrestricted access to your Firestore database up until the given date, in order to freely experiment with it for a month. However, allowing unrestricted access is obviously a massive security hole in the long run.

The recommended course of action is to first remove this rule entirely as it allows anyone to read and write anything in your database. Then, devise some proper rules that allow only access to collections and documents that your eventual users should be able to access. A full discussion of that is off-topic for Stack Overflow (as we don't know your app's requirements), but here are some good places to start learning about security rules:

  • The documentation
  • This video series

What you should be doing is calling out the access constraints for each collection and subcollection in your database. Ideally, you should lock down unauthenticated write access to all collections, except where absolutely required. In the best case, you're using Firebase Authentication to help control access to documents only as required for authenticated users.

Alternatively, if you're done working with the database (for the time being), you can block access to the database from web and mobile client entirely by using the following rule exclusively:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    allow read, write: if false;
  }
}

With this rule, access from backend code using the Firebase Admin SDK or other Cloud SDKs will still be allowed.

like image 57
Doug Stevenson Avatar answered Sep 30 '22 05:09

Doug Stevenson


Or if you are like me, who's still in test mode? Just update the date

match /{document=**} {  
   // from previous date 2019, 12, 14 to new date 2020, 01, 4
   allow read, write: if request.time < timestamp.date(2020, 01, 4); 
}
like image 41
zizutg Avatar answered Sep 30 '22 06:09

zizutg


Whenever you start a new project on firebase (or) setup a firestore database, firebase by default adds a set of rules for your database, which looks something like this.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // This rule allows anyone on the internet to view, edit, and delete
    // all data in your Firestore database. It is useful for getting
    // started, but it is configured to expire after 30 days because it
    // leaves your app open to attackers. At that time, all client
    // requests to your Firestore database will be denied.
    //
    // Make sure to write security rules for your app before that time, or else
    // your app will lose access to your Firestore database
    match /{document=**} {
      allow read, write: if request.time < timestamp.date(XXXX, XX, XX);
    }
  }
}

The "timestamp.date" dates to 1 month from when you start the project. More or less like a 30day free trial. Upon bypassing this date, the database denies all the client requests. So, the email is basically a reminder for you to change the security rules. One simple way is to allow read/write requests only to authenticated users.

// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

Note that, this is one of the ways to define the rules and need not exactly as shown, you could further make modifications as per your requirements. For more information, you can have a look at this documentation

like image 33
Prajwal Kulkarni Avatar answered Sep 30 '22 05:09

Prajwal Kulkarni


When you create a firestore db, you get access for 30 days. Your rule looks like this. See date, allowing read/write for certain duration,

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if
          request.time < timestamp.date(2021, 8, 17);
    }
  }
}

The date part is important here. You can increase this date if you want to use it in Test mode for longer period.

request.time < timestamp.date(2021, 10, 30);

OR, it's better to set access to any authenticated user while you're developing your app, like

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

Its good to be more specific always, especially when you are deploying in production. In that case your rule can be,

 match /some_collection/{userId}/{documents=**} {
      allow read, write: if request.auth != null && request.auth.uid == userId
    }

You can read more in detail in official documentation - https://firebase.google.com/docs/rules/basics

like image 21
Amit Baderia Avatar answered Sep 30 '22 05:09

Amit Baderia