Email: [Firebase] Client access to your Cloud Firestore database expiring in X day(s)

46
December 08, 2019, at 10:20 AM

I got an email that indicates I was developing in "test mode", but that it left my database completely open to the internet. The default rules I initially accepted look like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // This rule allows anyone on the internet to view, edit, and delete
    // all data in your Firestore database. It is useful for getting
    // started, but it is configured to expire after 30 days because it
    // leaves your app open to attackers. At that time, all client
    // requests to your Firestore database will be denied.
    //
    // Make sure to write security rules for your app before that time, or else
    // your app will lose access to your Firestore database
    match /{document=**} {
      allow read, write: if request.time < timestamp.date(2019, 12, 14);
    }
  }
}

What needs to be done to satisfy the request of this email?

Answer 1

The security rules shown here are a departure from the previous default rules that were much more permissive. The idea with this rule:

match /{document=**} {
  allow read, write: if request.time < timestamp.date(2019, 12, 14);
}

Is that you get unrestricted access to your Firestore database up until the given date, in order to freely experiment with it for a month. However, allowing unrestricted access is obviously a massive security hole in the long run.

The recommended course of action is to first remove this rule entirely as it allows anyone to read and write anything in your database. Then, devise some proper rules that allow only access to collections and documents that your eventual users should be able to access. A full discussion of that is off-topic for Stack Overflow (as we don't know your app's requirements), but here are some good places to start learning about security rules:

  • The documentation
  • This video series

What you should be doing is calling out the access constraints for each collection and subcollection in your database. Ideally, you should lock down unauthenticated write access to all collections, except where absolutely required. In the best case, you're using Firebase Authentication to help control access to documents only as required for authenticated users.

Alternatively, if you're done working with the database (for the time being), you can block access to the database from web and mobile client entirely by using the following rule exclusively:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    allow read, write: if false;
  }
}

With this rule, access from backend code using the Firebase Admin SDK or other Cloud SDKs will still be allowed.

READ ALSO
adding a button on an Echo that produces rows

adding a button on an Echo that produces rows

i've made an echo that produces a table in the correct format based on the data its echo'ingHowever on the same line of each echo, i'd like to add a button that is on the same row, and linked to that row of data

44
convert unknown time format to english time format dd/mm/yyyy in PHP [duplicate]

convert unknown time format to english time format dd/mm/yyyy in PHP [duplicate]

Given an unknown time format like "1574550000" or "1543616635" in a db column formatted with biginit(16) I need it to convert it in PHP to english time format like dd/mm/yyyy

57
Get data from multiple array in Controller

Get data from multiple array in Controller

I have country list in array with multiple array, like:

27
Parsing JSON in PHP using json_decode

Parsing JSON in PHP using json_decode

I'm trying to get request from web service which insert my data in Json formatMy PHP code which is not succeed is shown below:

47