skip to Main Content

hey i am developing a web application for a public project using firebase and I am worried about exposing user emails.

The basic idea of the website is:

1.) input -> user provides email and some information

2.) calculations happen on the server and information is written to firestore (admin sdk)

3.) output -> user receives a link in their email to view the results

the information i store is essentially

taskID {
    input,
    email,
    output
}

users only have read permissions

my firebase rules as follows:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if true;
      allow write: if false;
    }
  }
}

i know the firebase credentials are somewhat exposed on the client, so I am worried that somebody can use them to list all tasks, then iterate over all tasks to get the emails and the user provided inputs.
Is this possible at all? Would i have to have a different collection which can only be read by admins, then reference the fields?

taskID {
    input,
    email : privateCollectionID,
    output
}

privateCollectionID {
    email
}

Thanks

2

Answers


  1. Your current rules allow anyone and everyone to read all data in your database at will.

    If that’s not what you want, you’ll need to structure your data in a way that meets what you do want.

    If you want some data to be publicly readable, and other data to be only readable by the owner of that data, you will need to separate that data into different documents/collections and apply different rules to them.

    For an example, have a look at the Firebase documentation for public/private access in security rules.

    Login or Signup to reply.
  2. You could use a Callable Cloud Function that you call from the front-end passing the desired email.

    The CF queries the collection to find the document corresponding to the email and returns the document data.

    Since the Admin SDK bypasses security rules you can deny read access to this collection in the security rules.


    Note that:

    • This will not prevent users to test for a certain email existence but it will prevent them getting direct (one shot) access to the entire emails list.
    • The response time will be a bit longer compare to a direct query to Firestore via the JS SDK. More details in this article.
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search