How safe is auth !== null? Firebase

Nshweky picture Nshweky · Jul 19, 2017 · Viewed 10.8k times · Source

I've been using Firebase for quite some time, but I only now decided to really look into the security rules.

My question is, how safe is "auth !== null"? Yes, I realize that this means that only an authenticated user can access the data, but how easy is it to become authenticated? Can someone sign up for the app, and then use those credentials to GET request right into my database?

Like I said, I'm new to Security rules, so I'm sorry if this is an obvious question.

Here's my security rules:

{
  "rules": {
    "Users": {
      "$user_id": {
        ".write": "$user_id === auth.uid",  
        ".read" : "auth !== null",
        "shoofers" : {
          ".write" : "auth != null"
        }
      }
    }
  }
}

Thanks!

Neil

Answer

bojeil picture bojeil · Jul 20, 2017

A user can authenticate via anonymous, email/password, various OAuth providers and phone number sign in. You can enable/disable either of them. Your root rule above allows read only access to any authenticated user via any of the mechanisms stated and write access for a specified user to their own data. It is very difficult to fake sign in. The database will always check that the request has an ID token (when auth is not null). ID tokens use public-key cryptography and are hard to fake without possession of the private key.