Ad

Whats Wrong With Implementing Firebase Security Rules In The App Itself?

I am new to Firebase database and I am having trouble understanding the security rules.

Example Rule 1:

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

The above rule allows everyone to read and write the database.

Example Rule 2:

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

The above rule allows only the authenticated user to read and write only their own data.

My question is, if I set the security rule of my database to Example Rule 1 and develop my app in such a way that only the authenticated users can read and write the data, whats wrong with it?

Whats wrong with implementing the security rules in the app itself?

Ad

Answer

If I set the security rule of my database to Example Rule 1 and develop my app in such a way that only the authenticated users can read and write the data, whats wrong with it?

The security rules in your first solution, validate the read and write operations on your entire database. So if you attach a listener on your Firebase database root node, it will check if you have read permission on the root node. Since you have set the read/write permission to true:

{
   "rules": {
     ".read": true,
     ".write": true
   }
}

All read and write operations is will be approved, regardless of how your code looks like in your app. Please note that your database can be accessed by any other user, even if they don't use your app.

Whats wrong with implementing the security rules in the app itself?

You cannot add security rules in your app. You can add some constraints but you can not make the server reject operation according to some rules.

Ad
source: stackoverflow.com
Ad