Securing Firebase CRUD operations with users

Question

Due to the thin AngularFire documentation and the differences between it and the default web documentation for Firebase, I'm a little lost on how best to secure Create, Read, Update, and Delete operations with users.

In short, say I have an application that manages stores. Users can be owners of the stores or patrons. Owners should read and edit their own stores in their view and patrons should read all but edit no stores in their view.

I'm concerned about the security of suggested methods by Firebase docs such as

So for example, we could have a rule like the following to allow users to create comments as long as they store their user id with the comment:

{
  "rules": {
    ".read": true,
    "$comment": {
      ".write": "!data.exists() && newData.child('user_id').val() == auth.id"
    }
  }
}

To me, this means that I could hack my application's data by simply passing in my victim's user id when I want to post a comment as them. Am I wrong?

I've read the security documentation thoroughly, several times. I think I need further explanation here. Identifying by a client-exposed parameter is the only method I can find so far.

Answer 1

In the example shown here, auth refers to the authenticated user's token data. This is a special variable set by Firebase during auth() events, and thus not something you could hack at the client. In other words, you would only be able to write a comment if you set the user_id value to your own account id.

The contents of the auth object depend on how the client authenticates. For example, SimpleLogin's password provider puts the following into the auth token: provider, email, and id; any of which could be utilized in the security rules.

It's also possible to sign your own tokens from a server, and of course the sky is the limit here.

But the bottom line is that the token's internal values are provided by a trusted process and not by the client, and thus cannot be altered by a user.