Security issues: Missing Firebase db security rules

[edguerrade]

I'm concerned that there is no mention (or I don't see it) to security rules on firebase db. I know this is a kind of boilerplate or introductory tutorial, but if the focus is in React + Firebase it should be a must!

It would be so helpful to add some rules, i.e:

• Messages should only be edited by the owner.
• Only user with role admin should have the permissions to see users' data (or own logged user data), on boilerplate are only restricted by route's condition.
• Some kind of validation rule, maybe a message length (just for introducing us).

I'm introducing myself to Firebase, reading the security documentation, trying to manage those rules but, despite the simplicity, it's a little confusing without real example. Maybe anyone could shed light on this matter.

Sorry about my English (I try to improve it).
Thanks a lot @rwieruch for your job!

[rwieruch]

Hello @edguerrade

Regarding the security rules I am opinionated, because I don't want to play into Firebase's (Google's) arms by just relying on their system tailored solution. In the long run, I want to avoid the vendor lock-in. That's why I like to give users roles and permissions myself, like described in this chapter of the book https://www.robinwieruch.de/react-firebase-authorization-roles-permissions/ because then you can always migrate everything to your own database. I hope this statement makes sense. Let me know what you think about it.

After talking to @edguerrade about this issue, I agree that this needs to be addressed. See #26

Best, Robin