From 8e466ea69ffd2f5ca6b47abfeaed8e9eb0e0e007 Mon Sep 17 00:00:00 2001 From: Joe Hanley Date: Mon, 5 May 2025 15:16:34 -0700 Subject: [PATCH 1/2] Remove globs from default Firestore rules --- templates/init/firestore/firestore.rules | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/templates/init/firestore/firestore.rules b/templates/init/firestore/firestore.rules index a03962e0a09..c821989b03a 100644 --- a/templates/init/firestore/firestore.rules +++ b/templates/init/firestore/firestore.rules @@ -1,16 +1,14 @@ service cloud.firestore { match /databases/{database}/documents { - match /{document=**} { - // This rule allows anyone with your database reference to view, edit, - // and delete all data in your database. It is useful for getting - // started, but it is configured to expire after 30 days because it - // leaves your app open to attackers. At that time, all client - // requests to your database will be denied. - // - // Make sure to write security rules for your app before that time, or - // else all client requests to your database will be denied until you - // update your rules. - allow read, write: if request.time < timestamp.date({{IN_30_DAYS}}); - } + // This rule allows anyone with your database reference to view, edit, + // and delete all data in your database. It is useful for getting + // started, but it is configured to expire after 30 days because it + // leaves your app open to attackers. At that time, all client + // requests to your database will be denied. + // + // Make sure to write security rules for your app before that time, or + // else all client requests to your database will be denied until you + // update your rules. + allow read, write: if request.time < timestamp.date({{IN_30_DAYS}}); } } From aaf18311cb4ccc0240f622a91c50d6ab4b5b3aaf Mon Sep 17 00:00:00 2001 From: Joe Hanley Date: Mon, 5 May 2025 16:10:46 -0700 Subject: [PATCH 2/2] Make default security rules safer --- CHANGELOG.md | 1 + src/init/features/database.ts | 2 +- templates/init/firestore/firestore.rules | 19 +++++++++---------- templates/init/storage/storage.rules | 13 +++++++------ 4 files changed, 18 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3b8892d5cb..38322fdf512 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,2 +1,3 @@ - Fixed an issue where the prompt to create apphosting.emulator.yaml did not work with backends that are not at the project.root (#8412) - Fixed an issue where Terms of Service acceptance would be checked for non-human users. +- Changed default security rules from `firebase init` to be more secure. diff --git a/src/init/features/database.ts b/src/init/features/database.ts index 5b17acf3584..d38426a280e 100644 --- a/src/init/features/database.ts +++ b/src/init/features/database.ts @@ -33,7 +33,7 @@ interface DatabaseSetupConfig { } const DEFAULT_RULES = JSON.stringify( - { rules: { ".read": "auth != null", ".write": "auth != null" } }, + { rules: { some_path: { ".read": "auth != null", ".write": "auth != null" } } }, null, 2, ); diff --git a/templates/init/firestore/firestore.rules b/templates/init/firestore/firestore.rules index c821989b03a..b7fdfc84f28 100644 --- a/templates/init/firestore/firestore.rules +++ b/templates/init/firestore/firestore.rules @@ -1,14 +1,13 @@ +rules_version = '2'; + service cloud.firestore { match /databases/{database}/documents { - // This rule allows anyone with your database reference to view, edit, - // and delete all data in your database. It is useful for getting - // started, but it is configured to expire after 30 days because it - // leaves your app open to attackers. At that time, all client - // requests to your database will be denied. - // - // Make sure to write security rules for your app before that time, or - // else all client requests to your database will be denied until you - // update your rules. - allow read, write: if request.time < timestamp.date({{IN_30_DAYS}}); + // Security rules are closed by default - if you don't have a rule that grants access, + // clients will not be able to read or write to that location in Firestore. + // Below is an example of how to open up a collection to only authenticated users + // For more help developing your security rules, see https://firebase.google.com/docs/rules/basics + match /some_collection/{document} { + allow read, write: if request.auth != null; + } } } diff --git a/templates/init/storage/storage.rules b/templates/init/storage/storage.rules index f08744f032e..660def6c4db 100644 --- a/templates/init/storage/storage.rules +++ b/templates/init/storage/storage.rules @@ -1,12 +1,13 @@ rules_version = '2'; -// Craft rules based on data in your Firestore database -// allow write: if firestore.get( -// /databases/(default)/documents/users/$(request.auth.uid)).data.isAdmin; +// Security rules are closed by default - if you don't have a rule that grants access, +// clients will not be able to read or write to that location in Storafe. +// Below is an example of how to open up a folder to only authenticated users +// For more help developing your security rules, see https://firebase.google.com/docs/rules/basics service firebase.storage { match /b/{bucket}/o { - match /{allPaths=**} { - allow read, write: if false; + match /some_folder/{fileName} { + allow read, write: if request.auth != null; } } -} +} \ No newline at end of file