What is the best practice of firestore security rules?

[saseungmin]

Title

What is the best practice of firestore's security rules?

How to reproduce ☕️

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /some_collection/{document} {
      allow read: if true
      allow write: if request.auth.uid == request.resource.data.author_uid
    }
  }
}

Your question/bug report 📓

What is the best practice of firestore's security rules when using next-auth and firebase adapter together?

Hi. there!
Can I get the value request.auth.uid from the firestore security rule?

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /some_collection/{document} {
      allow read: if true
      allow write: if request.auth.uid == request.resource.data.author_uid
    }
  }
}

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

When applied as above code, it works normally, but it is insecure rules.

Do I have to use "custom-auth" directly to get the value "request.auth"?

I'm using @next-auth/firebase-adapter 0.1.3, firebase v8.6.2 and next-auth v.3.29.0.

I would really appreciate it if someone gave me advice. 🙇‍♂️

Contributing 🙌🏽

No, I'm afraid I cannot help regarding this

[ndom91]

nextauthjs/next-auth has been migrated to a monorepository. The adapters code can now be found there under packages/adapter-*. Thanks for your interest in the project!

[DiegoGonzalezCruz]

Hi! I'm facing the same issue. I could sign In my users using the same uid , both in firestore and auth, but it seems I'm unable to pass through basic authentication rules.
How did you manage to do it @saseungmin ?

[NayamAmarshe]

Same issue here

[saseungmin]

@DiegoGonzalezCruz @NayamAmarshe

Unfortunately, I haven't solved this problem.
Eventually, I deleted all of the next-auth dependencies, and I'm working on the project using firebase v.9 and firebase-admin v.10.

I think it shouldn't be used in a production environment if there are no firestore security rules like now.

If you want to use firebase for custom auth, see here.

https://firebase.google.com/docs/firestore/security/insecure-rules

[DiegoGonzalezCruz]

Hi guys, for everyone wondering about firestore rules and next-auth adapter, I will try to help you out.
The problem with the adapter (as it is right now) is that it creates all the documents required for it to work, following a web approach. That means it only works with all-open rules, meaning it is not useful in production (we don't want open rules in prod).

To make it work, you need to re-write all the logic, using the firebase Admin SDK, following the documentation for Node.

Here you can see an example I'm using.
EXAMPLE
Feel free to add comments.

I hope it works!

[fronterior]

@saseungmin Please check.
@DiegoGonzalezCruz I don't see your example! But it looks like a similar approach to mine. I also think that the current firebase adapter should be changed. User private data in firebase cannot be used in frontend because the current method does not go through firebase-auth. I also faced this problem, and I succeeded in connecting next-auth and firebase-auth similar to the session method in the following way.

1. The firebase-adapter was recreated through the firebase-admin SDK.
2. In the api of the next project, create an endpoint that creates a firebase customToken only when logged in (when session object can be obtained).
3. In all requests for firebase data in frontend, if it fails due to unauthorized, create logic to get customToken via next api made in 2.
4. When customToken is created on the server, the sessionToken is added to additional claims and stored in customToken for access by firebase-rule, and sessionToken is stored in the token list of currently logged-in user data in firebase database for comparison by rule.
5. Now, if you authenticate with customToken in frontend, you can add a rule that allows data access only if the request.auth.token.sessionToken in the rule is the same as the sessionToken stored in the firebase database.

match /store/{userId}/{document=**} {
    	allow read, write: if request.auth.token.id == userId && exists(/databases/$(database)/documents/tokens/$(request.auth.uid)/sessions/$(request.auth.token.sessionToken));
}

6. When a session is deleted from the adapter (on logout), it clears the sessionToken stored in 4. With this, even customToken that has already been issued cannot be used after logging out of next-auth.

This is an example of implementing the description above.
I'd appreciate it if you could look at it and leave any suggestions.

---

I made an adapter package that works like my example. I will use this package until I apply from the official adapter.

[DiegoGonzalezCruz]

Great !! (I fixed my link) thanks!
This could be a great reference to the Firebase Adapter PR #3873

[fronterior]

I made an adapter package that works like my example. I will use this package until I apply from the official adapter. Unfortunately, there is no answer to my proposal in the official firebase adapter PR. I told in PR that authentication for using the firebase from front-end is common and important, but I don't know if it was delivered properly due to my lack of English. I was waiting for their answer, but I don't know what to do because there's no answer. Would it be a good idea to ask PR to refer to my implementation method one more time?