HELP! - Scary email from Google Firebase (Client access to your Cloud Firestore database expiring in 4 day(s))

[creat0r]

To make a long story short, we had a developer who recently stopped working for us. He helped created an app for iPhone in Xcode that downloads its data from a Google Firebase (Firestore) database he set up on our account. Today we got this quite scary email (as seen on the attached screen shot below). Unfortunately we're in between developers and don't have any Firebase developers at the moment (and the previous developer was fired and remains unresponsive to us). I'm only a UX-Designer and I honestly don't understand a word from this email. Anyone that knows Firebase that can help me understanding this email?

1. Does this mean our database is publicly available on the surface web (so for example search engines can crawl/index it)?
2. What do I do about this?

 

[igormp]

Yeah, your DB was basically configured without any proper authentication, allowing anyone to read/write data to/from it.

 

This should be a simple fix by turning off development mode and adding the proper keys to your app.

[Eigenvektor]

12 minutes ago, creat0r said:

1. What do I do about this?

As the last paragraph says: "please write strong security rules that allow your app to function while appropriately protecting your data".

 

Basically configure rules that block everything, except your app(s)

[creat0r]

1 hour ago, igormp said:

This should be a simple fix by turning off development mode and adding the proper keys to your app.

As mentioned, I'm a UX-Designer with no experience in Firebase. Where do I turn off development mode? What is keys? Where do I find keys and where should I add them?

[creat0r]

1 hour ago, Eigenvektor said:

Basically configure rules that block everything, except your app(s)

And how do I do that? What should I write? This is all that's visible:

[Eigenvektor]

6 hours ago, creat0r said:

And how do I do that? What should I write? This is all that's visible:

There is no simply answer to this, as it depends on what you store in there, how it is used and who should have access to what. Meaning the rules you need are specific to your app and its use case.

 

Your current rules simply state that anyone is allowed to read from or write to your Firestore, as long as the request was received before 2nd of May 2024.

 

I would recommend to read Google's getting started guide and follow its links at the bottom:

https://firebase.google.com/docs/firestore/security/get-started

 

If your app uses Firebase Authentication, a first step would be to limit access to people who are signed in:

allow read, write: if request.auth != null;

 

However that is very broad and not particularly secure. Ideally you want to add rules to individual paths, so that specific data is only readable or writable if more specific conditions are met. For example certain data might be read only, or should only be possible to edit by the user who created it.

 

But as I said, that depends on what type of data your app stores in there and how it is used.

 

You can find basic examples in Google's documentation. Make sure to check out the Next Steps at the bottom of each.

https://firebase.google.com/docs/firestore/security/rules-structure

https://firebase.google.com/docs/firestore/security/rules-conditions