I am using Firebase Firestore to store a list of transactions in a collection called transactions .
I use react to get the transaction from the collection, using a URL with the id of the transaction document: http://myurl.com/h1kj54h2jk35h
const id = match.params.id;
firebase.firestore().collection('transactions').doc(id).get()
The same way I create a new doc. I have not firebase authentication.
How can I secure my Firestore rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /transactions/{id} {
allow read, write;
}
}
}
If I don't allow write, I can't create new transactions.
If I don't allow read, I can't read the transaction, but I don't want to allow the read of all transactions. Only the once when the id from the URL is valid.
Thus, I am looking for a way to protect my database agains unwanted document creations and unwanted document reads.
I think you're looking for what are called granular operations. From that link:
In some situations, it's useful to break down read and write into more granular operations. For example, your app may want to enforce different conditions on document creation than on document deletion. Or you may want to allow single document reads but deny large queries.
A read rule can be broken into get and list, while a write rule can be broken into create, update, and delete.
So if you want to only allow creation of new documents, and getting of document for which a user must know the ID, that'd be:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /transactions/{id} {
allow create, get;
}
}
}
Related
I'm trying to setup role based authentication in Cloud Firestore. The intent is to have it set up so that only users within an organization can read the organization or associated events. It is working when the client requests a single document (get), but not a query of documents (list).
My collection called organizations looks like this, so far only containing a single document with ID devtest:
{
"name": "Dev Test"
"users": [
"STFg0EvGemTaD2r9jyby0UMSt6O2"
]
"orgid": "devtest"
}
I also have a collection of events (so far also only containing one):
{
"name": "foo",
"orgid": "devtest",
...
}
And my rules look like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isSignedIn() {
return request.auth != null;
}
function userIsUser() {
return isSignedIn() &&
request.auth.uid in get(/databases/$(database)/documents/organizations/$(resource.data.orgid)).data.users;
}
match /organizations/{org} {
allow read: if userIsUser();
allow write: if false;
}
match /events/{event} {
allow read: if userIsUser();
allow write: if userIsUser();
}
}
}
What I'm confused about is why I can do a get and it succeeds, for example:
firebase.firestore().collection('organizations').doc('devtest').get()
but when I try a query it fails, for example:
firebase.firestore().collection('organizations').where('users', 'array-contains', firebase.auth().currentUser ? firebase.auth().currentUser.uid : false)
responds with permission denied. I know that a security rule is not a filter, there is only the one document in the collection right now.
Any suggestions on what I might be missing?
Thanks!
According to this documentation, using authentication objects directly causes issues, since they can be in an intermediary state. It’s recommended you also create an authentication listener that waits for the state to change.
By using an observer, you ensure that the Auth object isn't in an intermediate state—such as initialization—when you get the current user. When you use signInWithRedirect, the onAuthStateChanged observer waits until getRedirectResult resolves before triggering.
If this is happening in your query, it might explain why it gives you the permissions error, as the object can be still initializing and resolving to false instead of true.
I have a firestore rule for a collection "orders" and i use the simulator tool to est my rules and they definitely pass for all reads, yet when i attempt to display the orders in my console i get an error
Rules
match /orders/{document=**} {
allow read;
allow write: if isAdmin();
allow create: if isOrderOwner();
}
function isAdmin() {
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.userinfo.isAdmin;
}
function isOrderOwner() {
return get(/databases/$(database)/documents/orders/$(request.auth.uid)) == request.auth.uid
}
On my app, all i'm doing is console.log(orders) and i get this error:
Uncaught Error in snapshot listener: FirebaseError: Missing or insufficient permissions.
In my front end (react)
db.collectionGroup('orders').onSnapshot(snap => {
let ordersArr = []
snap.forEach(doc => {
if(doc.data().orderid)
ordersArr.push(doc.data())
})
setAllOrders(ordersArr)
console.log(ordersArr) // -> this console causes the insufficient permissions error
})
I can't figure it out, i very simply have allow read; for all documents in my orders collection.
Note: the orders are in a subcollection of the orders collection (i don' think that is the problem though)
You are using collectionGroup so if I assume orders is a sub-collection for each document in parent collection, let's say users or customers, the rules should ideally be something like this:
rules_version = '2';
service cloud.firestore {
match /{path=**}/orders/{orderId} {
allow read;
allow write: if false; // <- any rules you have for writes
}
}
I ran the following query and the read operation was allowed:
const snapshot = await firebase.firestore().collectionGroup("orders").get();
console.log(snapshot.size, "docs")
The {path=**} is a recursive wildcard as mentioned in the documentation.
The documentation says,
In your security rules, you must explicitly allow collection group
queries by writing a rule for the collection group:
Make sure rules_version = '2'; is the first line of your ruleset. Collection group queries require the new recursive wildcard {name=**}
behavior of security rules version 2.
Write a rule for you collection group using match /{path=**}/[COLLECTION_ID]/{doc}.
Because both isAdmin() and isOrderOwner() use a get() call, you are likely exceeding the limit for your query. You will need to apply a limit() to your collection group query and paginate through the results. As each rule uses two get() calls, you will only be able to retrieve up to 10 documents per query request.
Paraphrased from the Cloud Firestore Security Rules Documentation:
A limit of 10 exists(), get(), and getAfter() calls applies to single-document requests and query requests.
A limit of 20 exists(), get(), and getAfter() calls per request applies to multi-document reads, transactions, and batched writes.
For example, imagine you create a batched write request with 3 write operations and that your security rules use 2 document access calls to validate each write. In this case, each write uses 2 of its 10 access calls and the batched write request uses 6 of its 20 access calls.
Exceeding either limit results in a permission denied error.
I recently started a firebase project, and I need some help with the security rules. When A user signs up, I create a new document in a collection called "Users". The document name is encrypted by a server, and can only be decrypted by that same server. The problem I am having now is that if a malicious entity wanted to, they could get all of the documents in the collection by changing client-side code, and that would defeat the whole purpose of encrypting the data. So my question is: Is there a way to enforce that somebody can only read the data of their document in the collection, and block attempts to read the whole collection? (I am using Firestore by the way.)
Thanks so much!
FireBase Rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
match /users/{userId} {
//signed in users can get individual documents
allow get: if request.auth.uid != null;
//no one can query the collection
allow list: if false;
allow read, write;
}
}
}
}
You're duplicating rules:
//signed in users can get individual documents
allow get: if request.auth.uid != null;
//no one can query the collection
allow list: if false;
allow read, write;
Since allow read is a combination of allow list and allow get, that last line make the two lines above it useless.
The minimum change is to remove read from the allows:
//signed in users can get individual documents
allow get: if request.auth.uid != null;
//no one can query the collection
allow list: if false;
allow write;
I suspect you'll want to tighten the allow write to only allow users to write their own document, but that's a separate problem.
I have an app that is designed so authenticated users via Google only have access to their own data with no "social" features. I want to know the security rules for the below criteria.
Let's say I have 5 collections and one of them is called "todos" and the data mirrors the other collections in that it has a field for the authenticated users uid. The typical document looks something like this:
Todos
todo:{
title:"some titled",
body:"we are the world , we are the children",
uid:"2378y4c2378rdt2387btyc23r7y"
}
Some other collection
thing:{
name:"some name",
content:"Some content",
whatever:"whu-eva",
uid:"2378y4c2378rdt2387btyc23r7y"
}
I want the authenticated Google user to be able to CRUD any data that has said users uid in the uid field. I want all other data to be inaccessible to the logged in user.
I want to know how to create rules for this scenario.
I'm mulling through the documentation now but I figure I might be able to save some time by asking.
I do not have specific roles for the app.
https://firebase.google.com/docs/firestore/solutions/role-based-access
As a side note, is their a feature in Firebase to automatically bind an authenticated Google users uid to documents created while they are logged in? (I am assuming the answer is no and I was planning on manually grabbing the uid in my app and setting it on the client prior to document creation).
Thank you.
Update
I tried using the code that Klugjo posted below.
When I try to test it in the simulator I get an error.
Here is my collection and a screenshot of the error.
Here is something else I tried:
Based on everything I've read it seems like the following code should work - but it doesn't. I've supplemented the key "userId" in place of " uid" that is written in the object data at the top of this post. I changed the key to distinguish it from the uid.
service cloud.firestore {
match /databases/{database}/documents {
match /todos/{id} {
allow read: if request.auth.uid == request.resource.data.userId;
allow create, update, delete:
if request.resource.data.userId == request.auth.uid;
}
}
}
I've created a video where I try to GET and CREATE a document.
I don't think I am using the testing feature correctly.
Video
https://www.youtube.com/watch?v=W7GZNxmBCBo&feature=youtu.be
EDIT
I have it working when I test with a hard-coded request.auth.uid.
In the image below I hardcoded "test" as the request.auth.uid.
My problem now is that I would really like to know how to test it in the rules editor without hard-coding this information.
Edit
Here is a video demo of the problem using a real app.
https://www.youtube.com/watch?v=J8qctcpKd4Y&feature=youtu.be
Here is a sample secure rule set for your requirements.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{id}/{u=**} {
allow read, write: if (isSignedIn() && isUser(id));
}
match /todos/{id}/{t=**} {
allow read, write: if (isSignedIn() && isUserOwner());
}
match /{document=**} {
allow read, write: if false;
}
function isSignedIn() {
return request.auth != null;
}
function isUser(uid) {
return uid == request.auth.uid;
}
function isUserOwner() {
return getResourceData().uid == request.auth.uid;
}
function getResourceData() {
return resource == null ? request.resource.data : resource.data
}
}
}
All documents are publicly inaccessible.
The rests will be decided based on the data already saved in DB and / or the data being sent by the user. The key point is resource only exists when reading from DB and request.resource only exists when writing to DB (reading from the user).
Documents under todos can be read and written only if they have a saved uid which is the same as the sent request's uid.
Documents under users can be read and written only if their document id is the same as the sent request's uid.
isSignedIn() function checks if request is authorised.
isUser(id) function checks if id matches the authorised request's uid.
isUserOwner() function checks if document's uid matches the authorised request's uid.
I think what you are looking for is the "resource" parameter in the security rules: https://firebase.google.com/docs/firestore/security/rules-conditions#data_validation
Try something like:
service cloud.firestore {
match /databases/{database}/documents {
match /todos/{id} {
allow read, write: if request.auth.uid == resource.data.userId;
}
}
}
EDIT:
Subcollection strategy
If you change your DB to look like the following:
/users/{userId}/todos/**
then you could allow users to read/write anything under their own document with the following rule:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{uid}/{doc=**} {
allow read, write: if request.auth != null && request.auth.uid == uid;
}
}
}
This would have the advantage of not needing to introspect the contents of the data which I believe might count against your read quota.
You are looking for something like this
service.cloud.firestore {
match /databases/{database}/documents {
match /todos/{userId} {
allow read, update, delete: if request.auth.uid == userId;
allow create: if request.auth.uid != null;
}
}
}
match /todos/{userId} makes the userId variable available in the rule condition
request.auth.uid matches the auth'd user uid
I am using Firebase Cloud Firestore, and I want to modify my rules to restrict users from querying a collection.
This should not be allowed:
firestore().collection("users").get()
But this should be allowed:
firestore().collection("users").doc("someUserId").get()
Currently, my rules look like this:
match /users/{userId} {
allow read;
}
but this rule allows the "users" collection to be queried.
How can I allow single document gets, but not collection queries?
You can break read rules into get and list. Rules for get apply to requests for single documents, and rules for list apply to queries and requests for collections (docs).
match /users/{userId} {
//signed in users can get individual documents
allow get: if request.auth.uid != null;
//no one can query the collection
allow list: if false;
}
Just allow get and you'll be good:
match /users/{userId} {
allow get;
}
Reference: https://firebase.google.com/docs/rules/rules-language#:~:text=Convenience%20methods-,read,-Any%20type%20of