The Realtime Database is public facing, so it needs a robust security system.
Firestore and Firebase Storage both use Firebase's new security rules syntax, which we've covered elsewhere. Those learnings won't transfer to the RTDB, because the RTDB's security rules were designed back in 2011 and are specific to its JSON data model.
The RTDB stores data in JSON. It's security rules are also written in JSON and follow the pattern of the data that you plan on storing.
The starting JSON rules object is pretty simple:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
Notice that there's a root attribute named rules
and there are two kinds of permissions, .read
and .write
. There's also an auth
object available in the rule conditions which we can test to make sure that it's not null. If it's not null, then the request must be coming from an authenticated user!
Now let's secure the users
node on our imaginary JSON tree.
Data
{
"users": {
"userOne": {...},
"userTwo": {...}
}
}
Rules
{
"rules": {
"users": {
".read": "auth != null",
".write": false
}
}
}
Notice how we created a new node under rules
and we called that node users
? Yeah, we're nesting our rules to match our data. So rules.users
matches our users
node in the JSON.
The RTDB has only three rule types:
.read
.write
.validate
.read
, .write
and .validate
must all be set to true
, false
or a string "condition" that the security rules engine will need to evaluate.
.read
and .write
are simple enough. They grant read or write access.
.validate
will prevent a write if it's condition statement evaluates to false.
The RTDB has one more type, although we wouldn't call it a rule so much as a directive:
.indexOn
The .indexOn
field is necessary to speed up RTDB queries, and it's either the string ".value"
or an array of strings representing the attributes to index.
.indexOn
could be used like this:
{
"rules": {
"scores": {
".indexOn": ".value"
},
"teams": {
".indexOn": ["ranking", "dateCreated", "mascotColor"]
}
}
}
Wildcards are an important concept in RTDB security rules. Here's an example of a $userId
wildcard:
{
"rules": {
"users": {
"$userId": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$userId === auth.uid"
}
}
}
}
The dollar sign in $userId
indicates that it's a wildcard. You an name wildcards whatever you like. You could have named it $broccoli
... but then you'd have to refer to the wildcard as broccoli
in your condition statements :)
Wildcards apply to all otherwise-unspecified attributes. So assume the following data:
{
"users": {
"userOne": {...},
"userTwo": {...},
"userThree": {...},
}
}
We have three users. Now let's imagine all user data is public except that of our admin, userThree
. Also let's assume that we want userThree
to be able to write to everyone's records as well as read and write to her own.
{
"rules": {
"users": {
"$userId": {
".read": true,
".write": "auth.uid === 'userThree'"
},
"userThree": {
".read": "auth.uid === 'userThree'",
".write": "auth.uid === 'userThree'"
}
}
}
}
We used the $userId
wildcard to set rules for all users. Then, by specifying rules.users.userThree
, we overrode the wildcard for userThree
.
Be very aware when designing your data models that RTDB security rules cascade.
Let's modify the earlier example a bit and try to block all users from reading users.$userId.superSecretUserAttributes
.
{
"rules": {
"users": {
"$userId": {
".read": true,
".write": "auth.uid === 'userThree'",
"superSecretUserAttributes": {
".read": "auth.uid === 'userThree'"
}
}
}
}
}
Remember how rules cascade? Well, our attempt at securing superSecretUserAttributes
just failed, because we granted .read
access higher up the chain. In this example, all users can still read superSecretUserAttributes
and the nested .read
rule gets ignored.
Cascading security rules mean that you should design your data structure such that you never need to nest security rules. Here's our favorite way to write rules:
{
"rules": {
"users": {
"$uid": {
".read": "auth.uid === $uid || auth.token.admin === true",
".write": "auth.uid === $uid || auth.token.admin === true"
}
},
"userOwned": {
"$objectType": {
"$uid": {
".read": "auth.uid === $uid || auth.token.admin === true",
".write": "auth.uid === $uid || auth.token.admin === true"
}
}
},
"userReadable": {
"$objectType": {
"$uid": {
".read": "auth.uid === $uid || auth.token.admin === true",
".write": "auth.token.admin === true"
}
}
},
"userWriteable": {
"$objectType": {
"$uid": {
".read": "auth.token.admin === true",
".write": "auth.uid === $uid || auth.token.admin === true"
}
}
},
"adminOwned": {
"$objectType": {
"$uid": {
".read": "auth.token.admin === true",
".write": "auth.token.admin === true"
}
}
},
"public": {
"$objectType": {
"$uid": {
".read": true,
".write": "auth.token.admin === true"
}
}
}
}
}
And that's it! We have six base nodes in our data structure:
{
"users": {...},
"userOwned": {...},
"userReadable": {...},
"userWriteable": {...},
"adminOwned": {...},
"public": {...}
}
And notice how each base node has a wildcard $objectType
nested directly underneath it? That's so we can save lots of different types of objects, all of which will inherit their rules from their parent nodes.
Instead of fighting the cascading rules, we're using them to our advantage and dramatically reducing the number of rules that we write.
We're leveraging custom claims to permit users with the admin
claim to read and write everything using auth.token.admin === true
. Custom claims are awesome, because they're available across all three types of security rules—Firestore, RTDB and Storage—as well as your browser's currentUser
JWT.
Frankly, we do most of our validation in our client-side applications; however, the RTDB's .validate
security rule will let you do validation right at your data layer.
If you find yourself in need of validation, we recommend reading the reference docs carefully. We also recommend not getting too carried away with validation in the security rules. These rules are better seen as a flexible way to add security to your app. If you have some sensitive data or operations and you need more assurances than the .read
and .write
rules can give you, it's time for some .validate
rules.
We're sure that we could write a sophisticated validation layer using the security rules, but we don't. We use client-side validation >99% of the time, because the vast majority of our writes aren't likely to be abused by an attacker. Any competent hacker will connect directly to your database and start testing your endpoints, so client-side validation won't stop hacking; however, it's easy enough to hide anything worth hacking deep within a cloud function or an admin-only data node, so try that first before relying on validation rules.