// docs / baas security / firebase if-true explainer

Firebase allow read, write: if true explained: na kena ibalebale kei na sala me fix kina

Q: Na cava na duidui ena if true kei na if request.auth != null ?

if true e vakadonuya na anonymous access — o ira kece ena internet. if request.auth != null e vinakata na signed-in user, e vinaka cake ia tawavinaka tikoga: na user kece ni nomu app e rawa ni wilika na data ni tale na user. Na production rules me scope ki na user dodonu se org mai na request.auth.uid == resource.data.owner_uid se ka tautauvata.

Q: Vakacava ke nomu app e public-read sara (blog, product catalog)?

Sa ka mada ga ko ni vola allow read: if true; allow write: if false; ena public collection ga — kakua ena collection kece ena nomu database. Vakayagataka e dua tani na match clause ena collection yadua ka kakua sara ni vakayagataka na recursive '{'document=**'}' wildcard ena writable rules.

<code>allow read, write: if true;</code> e dua na Firebase misconfiguration duabau e dau yaco ena production. E na test-mode default e ukabuluti na Firebase Console ni o buli e dua na database vou, na rule era cakava vakavou na AI coding tools mai na documentation, ka na rule e dolava na nomu Firestore database taucoko ki na cei ga ena internet. Na itukutuku oqo e vakamacalataka na syntax matata, vakaraitaka na ka e raica e dua na attacker ni live na rule oqo, ka soli vei iko va na progressively-stricter replacements me sotari na duidui na use cases.

Na syntax, ena line yadua

Dua na complete Firestore test-mode rules document e ono na line:

firebase

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

Decoded:

rules_version = '2'; e digitaka na v2 rules engine (sa qo). Na v1 rules makawa e sa deprecated.
service cloud.firestore e scope na block ki Firestore. Na Realtime Database e vakayagataka e dua na JSON-based syntax duidui; na Cloud Storage e vakayagataka service firebase.storage.
match /databases/{database}/documents e binda na special (default) database (na levu ni projects e dua ga).
match /{document=**} e dua na recursive wildcard. Na ** e match na path kece ena depth kece. Vakatautaki kei na {document}, oqo e taura na document kece ena collection kece — dua ga na match clause e qarauna na database taucoko.
allow read, write: if true; e na rule body. Erau ruarua na read kei na write sa allow; na condition if true e dau dina tikoga. Na read e vakacurumi na get kei na list operations; na write e vakacurumi na create, update, kei na delete.

Net effect: na client kece kei na Firebase project ID kei na SDK dodonu e rawa ni wilika se vola na document kece ena collection kece. E sega ni gadrevi na authentication. E sega ni vakavotui na rate limits.

Na vuna e ship kina na Firebase me default

Na Firebase e vinakata ko ni vakavinaka coding ena 30 seconds mai na buli ni project. Na e tarava — me vola e liu e dua na rule dodonu ni se cakacaka na read se write — ena block na onboarding. Na Console e soli rua na option ni o buli e dua na database: Production mode (deny kece, o iko mo vola na rules) se Test mode (allow kece me 30 na siga). Na levu ni developers era click na test mode, qai guilecava me lesu mai. Na projects makawa era a 30-day timer; na projects sa qo era kei na dua na indefinite if true rule sega ni dua na automatic expiry.

Na structural problem: na AI coding tools era vakavulici ena documentation, tutorials, kei na Stack Overflow answers era vakaraitaka na test-mode rules. Ni o kerea vua na Cursor se Claude Code "sala mo set up Firebase," na sauma e dau vakacurumi na block dodonu allow read, write: if true me vaka ga ya na production rule. Na AI e sega ni kila — ka e sega ni prompted me kila — me rule oqo e sega ni vakacegui ena production.

Na ka e raica e dua na attacker

Vakavakauca, na attacker e kila na nomu Firebase project ID (e rawa ni extract mai na bundle ni dua na deployed app ena 30 seconds) ka cakava na nodra muri ena rawa ni list na document kece ena collection kece:

E dua ga na unauthenticated curl request e rauti me enumerate na collection kece. Vakaraica na block highlighted ena ra.

bash

curl 'https://firestore.googleapis.com/v1/projects/[project-id]/databases/(default)/documents:listCollectionIds' \
  -X POST \
  -H 'Content-Type: application/json' \
  -d '{}'

Na response e na liu ni top-level collections taucoko. Ena collection yadua, dua tale na request e tukuna na documents. Sega na rate limit ena path oqo ena vuna ni if true rules era taura na anonymous traffic. Keimami sa raica na Firebase databases kei na vica na million na documents era enumerate ena loma ni dua na aua.

Ena write path: e dua ga na POST kei na {fields} e bula kina e dua na document vou. Na attackers era rawa ni vakacurumi rara ena nomu collections, deface na user-facing pages e read mai na Firestore, se vakayagataka na nomu database me dua na free message broker — na nomu usage bill e spike, o ko via kila, ka na bill e vakamacalataka na leqa.

Va na production-safe replacements

Digitaka na replacement e veisotari kei na data model ni nomu app. Na va kece era vakanamati ni o tiko kei na user authentication (Firebase Auth se dua na provider e issue na Firebase ID token):

Option 1: User-owned documents

Na SaaS pattern dau yaco. Na documents era tiko ena ruku ni /users/{userId}/... ka na taukei ga e rawa ni tara. match /users/{userId}/{document=**} { allow read, write: if request.auth != null && request.auth.uid == userId; }

firebase

match /users/{userId}/{document=**} {
  allow read, write: if request.auth != null
                     && request.auth.uid == userId;
}

Option 2: Owner field ena document yadua

Ni tu na documents ena flat collections (sega ni nested ena ruku ni user ID), biuta e dua na owner_uid field ka check. match /posts/{postId} { allow read: if resource.data.public == true || resource.data.owner_uid == request.auth.uid; allow write: if request.auth.uid == resource.data.owner_uid; }

firebase

match /posts/{postId} {
  allow read:  if resource.data.public == true
              || resource.data.owner_uid == request.auth.uid;
  allow write: if request.auth.uid == resource.data.owner_uid;
}

Option 3: Multi-tenant org isolation

Me baleta na B2B SaaS kei na org-scoped data. Biuta e dua na org_id field ena document yadua ka check ki na custom claim ni user. allow read, write: if request.auth.token.org_id == resource.data.org_id;. Vinakata me biuta na custom claim ena gauna ni sign-up mai na Firebase Admin SDK.

firebase

allow read, write: if request.auth.token.org_id == resource.data.org_id;

Option 4: Read-only public content

Me marketing content, public profiles, product catalogs — na ka e dau public-read ka admin-only-write. match /products/{productId} { allow read: if true; allow write: if request.auth.token.admin == true; }. Na admin custom claim e biuta ena admin accounts ga.

firebase

match /products/{productId} {
  allow read:  if true;
  allow write: if request.auth.token.admin == true;
}

Quick audit query

Ni bera ni fix, check ke live na if true. Dolava na Firebase Console → Firestore → Rules ka qara if true. Ke o kunea ena dua na vanua sega ni dua na comment, sa nomu open-rule finding. Na Rules simulator ena UI vata e vakadonuya mo replay na request ni attacker locally — paste e dua na anonymous GET /users/somebody ka vakadinadinataka me tukuna na simulator Allowed.

External confirmation: cakava e dua na FixVibe scan ki na nomu production URL. Na baas.firebase-rules check e probe na nomu Firestore, Realtime Database, kei na Storage rules ka tukuna na finding vata ena raica e dua na attacker — sega ni veisotari kei na ka e vakaraitaka na Firebase Console.

Na taro era dau tarogi

Na cava na duidui ena <code>if true</code> kei na <code>if request.auth != null</code>?

if true e vakadonuya na anonymous access — o ira kece ena internet. if request.auth != null e vinakata na signed-in user, e vinaka cake ia tawavinaka tikoga: na user kece ni nomu app e rawa ni wilika na data ni tale na user. Na production rules me scope ki na user dodonu se org mai na request.auth.uid == resource.data.owner_uid se ka tautauvata.

E auto-expire vakacava na Firebase na <code>if true</code> rules?

Na projects makawa (pre-2023) e a 30-day timer e converti na if true rules ki na if false. Na projects qo sega — na rule e tudei ke sega ni veisautaki vakaikoya. Ke o buli na nomu project ni bera ni 2023 ka raica vinaka na nomu rules, double-check: na timer e rawa ni a sa flip ki na if false, ka e block na nomu app.

E rawa ni vakayagataki e dua na future-date timestamp check me safety net?

Sega — e sega ni dua na security control e dua na timestamp condition. E expire na open rule ena dua na siga mai liu, na kena ibalebale ki na siga ya na attackers era kei na access taucoko. Ka o iko ena guilecava na siga. Veisautaka na if true kei na auth-scoped rule, kakua na time-bounded.

Vakacava ke nomu app e public-read sara (blog, product catalog)?

Sa ka mada ga ko ni vola allow read: if true; allow write: if false; ena public collection ga — kakua ena collection kece ena nomu database. Vakayagataka e dua tani na match clause ena collection yadua ka kakua sara ni vakayagataka na recursive {document=**} wildcard ena writable rules.

Tikitiki tarava

Cakava e dua na FixVibe scan ki na nomu production URL — na baas.firebase-rules check e vakadinadinataki ke exploitable na if true mai na public internet. Me scanner mechanics kei na parallel detections me Realtime Database kei na Storage, vakaraica Firebase rules scanner. Me class vata ena misconfiguration ena Supabase, wilika Supabase RLS scanner.