1
00:00:00,600 --> 00:00:01,590
‫-: Hi.

2
00:00:01,590 --> 00:00:02,640
‫Within this lecture

3
00:00:02,640 --> 00:00:03,870
‫we are going to deep dive

4
00:00:03,870 --> 00:00:06,510
‫into the Firestore security rules,

5
00:00:06,510 --> 00:00:08,160
‫so that we can make our

6
00:00:08,160 --> 00:00:10,830
‫firebase app perfectly safe.

7
00:00:10,830 --> 00:00:13,530
‫So far we have actually

8
00:00:13,530 --> 00:00:15,690
‫implemented a condition,

9
00:00:15,690 --> 00:00:18,210
‫in the write part, okay?

10
00:00:18,210 --> 00:00:21,420
‫And we didn't do anything for the read part,

11
00:00:21,420 --> 00:00:24,330
‫and we are going to see how to create functions,

12
00:00:24,330 --> 00:00:26,820
‫and how to implement, update,

13
00:00:26,820 --> 00:00:30,480
‫and delete operations in here, as well.

14
00:00:30,480 --> 00:00:31,313
‫For example,

15
00:00:31,313 --> 00:00:33,480
‫right now we only have read and write

16
00:00:33,480 --> 00:00:35,880
‫for, for some purpose

17
00:00:35,880 --> 00:00:38,910
‫I want to maybe, allow updating

18
00:00:38,910 --> 00:00:42,060
‫or deleting, with conditions, as well.

19
00:00:42,060 --> 00:00:44,430
‫So I'm going to say allow update,

20
00:00:44,430 --> 00:00:47,940
‫and I'm going to say allow delete.

21
00:00:47,940 --> 00:00:49,890
‫So this is good.

22
00:00:49,890 --> 00:00:52,050
‫Maybe, we don't want to delete anything.

23
00:00:52,050 --> 00:00:54,660
‫Then I can just say allow delete false,

24
00:00:54,660 --> 00:00:55,980
‫but I'm not gonna do that.

25
00:00:55,980 --> 00:01:00,120
‫Maybe, I just want to check if the request.auth

26
00:01:00,120 --> 00:01:02,790
‫is not now in every condition,

27
00:01:02,790 --> 00:01:04,710
‫but if I wanna do that,

28
00:01:04,710 --> 00:01:07,890
‫if I want to check for authentication

29
00:01:07,890 --> 00:01:09,210
‫in every procedure,

30
00:01:09,210 --> 00:01:10,890
‫maybe, it's better for me

31
00:01:10,890 --> 00:01:13,350
‫to create a function for that.

32
00:01:13,350 --> 00:01:14,880
‫So, under match,

33
00:01:14,880 --> 00:01:17,520
‫I'm going to write function, okay?

34
00:01:17,520 --> 00:01:19,440
‫So I'm writing this under match,

35
00:01:19,440 --> 00:01:20,910
‫not inside of the match,

36
00:01:20,910 --> 00:01:21,743
‫as you can see,

37
00:01:21,743 --> 00:01:24,360
‫I'm outside of this curly braces,

38
00:01:24,360 --> 00:01:28,170
‫but I'm inside of this match curly braces.

39
00:01:28,170 --> 00:01:29,040
‫Okay?

40
00:01:29,040 --> 00:01:31,260
‫So think does like a class,

41
00:01:31,260 --> 00:01:34,530
‫and I'm writing the function over here.

42
00:01:34,530 --> 00:01:36,030
‫So I'm going to call

43
00:01:36,030 --> 00:01:37,890
‫our function is authenticated,

44
00:01:37,890 --> 00:01:39,630
‫or is signed in.

45
00:01:39,630 --> 00:01:41,790
‫So this function will actually

46
00:01:41,790 --> 00:01:44,490
‫return the condition of

47
00:01:44,490 --> 00:01:47,040
‫whether this is authenticated or not.

48
00:01:47,040 --> 00:01:49,153
‫So I'm gonna call this, is,

49
00:01:49,153 --> 00:01:52,350
‫isSignedIn, like this, okay?

50
00:01:52,350 --> 00:01:53,970
‫And this is not very different

51
00:01:53,970 --> 00:01:55,410
‫from writing a function

52
00:01:55,410 --> 00:01:57,870
‫in Java or in Swift.

53
00:01:57,870 --> 00:01:58,830
‫So all you have to do is

54
00:01:58,830 --> 00:02:00,690
‫just open this curly braces,

55
00:02:00,690 --> 00:02:03,240
‫and this is your coding block right now.

56
00:02:03,240 --> 00:02:06,450
‫So we what, what you wanna return over here

57
00:02:06,450 --> 00:02:11,450
‫is the authentication states of the current request.

58
00:02:11,640 --> 00:02:15,120
‫So I'm going to say return request.auth,

59
00:02:16,740 --> 00:02:18,540
‫and is not null of course.

60
00:02:18,540 --> 00:02:20,640
‫So if this is not null,

61
00:02:20,640 --> 00:02:23,430
‫it means that it's authenticated.

62
00:02:23,430 --> 00:02:27,210
‫So rather than saying request.auth is not null,

63
00:02:27,210 --> 00:02:29,340
‫right now I can actually say,

64
00:02:29,340 --> 00:02:32,220
‫if isSignedIn, right?

65
00:02:32,220 --> 00:02:37,220
‫So this will make our code very easy like this.

66
00:02:37,950 --> 00:02:40,530
‫So I'm going to allow write,

67
00:02:40,530 --> 00:02:42,360
‫only, and only if,

68
00:02:42,360 --> 00:02:43,860
‫the user is signed in,

69
00:02:43,860 --> 00:02:45,480
‫and I'm checking this

70
00:02:45,480 --> 00:02:47,850
‫in a function like that.

71
00:02:47,850 --> 00:02:51,360
‫So it's pretty straightforward, right?

72
00:02:51,360 --> 00:02:55,590
‫So you can just create your own function like this.

73
00:02:55,590 --> 00:02:57,390
‫Now the way that you want

74
00:02:57,390 --> 00:02:59,670
‫and you can do the same thing for update,

75
00:02:59,670 --> 00:03:01,920
‫you can do the same thing for delete,

76
00:03:01,920 --> 00:03:03,030
‫and you can actually,

77
00:03:03,030 --> 00:03:04,800
‫do the same thing for read, as well.

78
00:03:04,800 --> 00:03:05,817
‫But in this case,

79
00:03:05,817 --> 00:03:09,810
‫I'm not going to do this for reading, okay?

80
00:03:09,810 --> 00:03:14,250
‫And over here, we don't need any same column, right?

81
00:03:14,250 --> 00:03:15,180
‫Like that.

82
00:03:15,180 --> 00:03:16,530
‫Okay?

83
00:03:16,530 --> 00:03:19,380
‫And let's do that actually,

84
00:03:19,380 --> 00:03:23,520
‫let's add the if isSignedIn condition,

85
00:03:23,520 --> 00:03:27,810
‫in update, and delete, and leave the read alone.

86
00:03:27,810 --> 00:03:32,040
‫So we will allow reading in every instance,

87
00:03:32,040 --> 00:03:33,840
‫and we will allow updating,

88
00:03:33,840 --> 00:03:37,410
‫if isSignedIn, like this.

89
00:03:37,410 --> 00:03:39,810
‫Okay? And here you go.

90
00:03:39,810 --> 00:03:43,310
‫We are going to allow deleting if isSignedIn.

91
00:03:44,340 --> 00:03:46,950
‫So, so far so good,

92
00:03:46,950 --> 00:03:51,060
‫and I'm going to save this, like that.

93
00:03:51,060 --> 00:03:52,050
‫And here you go.

94
00:03:52,050 --> 00:03:56,490
‫Now we have a complete, working, secure app.

95
00:03:56,490 --> 00:03:59,880
‫Maybe it's not secure, as much as you want.

96
00:03:59,880 --> 00:04:00,713
‫For example,

97
00:04:00,713 --> 00:04:03,800
‫maybe you may want to check one more condition.

98
00:04:03,800 --> 00:04:05,190
‫Like what?

99
00:04:05,190 --> 00:04:06,023
‫Like maybe,

100
00:04:06,023 --> 00:04:09,840
‫you may want to allow deleting or updating,

101
00:04:09,840 --> 00:04:11,790
‫if and only if,

102
00:04:11,790 --> 00:04:15,450
‫you are dealing with the current user, right?

103
00:04:15,450 --> 00:04:16,920
‫So what do I mean?

104
00:04:16,920 --> 00:04:19,350
‫For example, if I tweet something,

105
00:04:19,350 --> 00:04:21,060
‫and if I want to update it,

106
00:04:21,060 --> 00:04:22,830
‫or delete it, okay,

107
00:04:22,830 --> 00:04:24,577
‫I can check for the UID.

108
00:04:25,650 --> 00:04:29,043
‫So if you say request that auth.UID,

109
00:04:29,881 --> 00:04:33,660
‫it means that request is coming from this user.

110
00:04:33,660 --> 00:04:34,830
‫So remember,

111
00:04:34,830 --> 00:04:39,360
‫every user has its own user unique IDs.

112
00:04:39,360 --> 00:04:41,160
‫And in order to check that,

113
00:04:41,160 --> 00:04:44,520
‫of course, you need to actually store

114
00:04:44,520 --> 00:04:47,108
‫it in Firestore database.

115
00:04:47,108 --> 00:04:49,007
‫Like in the tweets,

116
00:04:49,007 --> 00:04:50,850
‫right now unfortunately,

117
00:04:50,850 --> 00:04:53,280
‫we only have the user emails,

118
00:04:53,280 --> 00:04:55,170
‫rather than user IDs.

119
00:04:55,170 --> 00:04:58,500
‫It's a good idea to include the user UIDs,

120
00:04:58,500 --> 00:04:59,540
‫in the user,

121
00:04:59,540 --> 00:05:03,480
‫or in the tweet Firestore over here,

122
00:05:03,480 --> 00:05:05,280
‫so that we can get this data,

123
00:05:05,280 --> 00:05:06,271
‫and check it,

124
00:05:06,271 --> 00:05:09,870
‫cross reference it, like over here.

125
00:05:09,870 --> 00:05:11,610
‫So, we don't have that,

126
00:05:11,610 --> 00:05:15,000
‫but it's not going to be problem for us.

127
00:05:15,000 --> 00:05:17,632
‫I'm just going to show you how to do that,

128
00:05:17,632 --> 00:05:22,560
‫like pretending that user email is our user ID.

129
00:05:22,560 --> 00:05:23,670
‫Okay?

130
00:05:23,670 --> 00:05:26,100
‫So if you wanna do that,

131
00:05:26,100 --> 00:05:28,800
‫make sure you include user IDs

132
00:05:28,800 --> 00:05:32,670
‫in your own Firestore app,

133
00:05:32,670 --> 00:05:35,580
‫when you try to create something like that.

134
00:05:35,580 --> 00:05:38,400
‫And this is generally the case when you try with

135
00:05:38,400 --> 00:05:39,690
‫a social app.

136
00:05:39,690 --> 00:05:42,000
‫So whether you're posting a picture,

137
00:05:42,000 --> 00:05:43,530
‫whether you're posting a tweet,

138
00:05:43,530 --> 00:05:45,240
‫or something like that,

139
00:05:45,240 --> 00:05:48,360
‫maybe you may want to allow

140
00:05:48,360 --> 00:05:50,760
‫only the user itself to update

141
00:05:50,760 --> 00:05:54,090
‫or change the data, right?

142
00:05:54,090 --> 00:05:56,190
‫So for example,

143
00:05:56,190 --> 00:05:58,020
‫I'm just going to assume

144
00:05:58,020 --> 00:06:00,360
‫that we want to update the data,

145
00:06:00,360 --> 00:06:03,450
‫if and only if, the user is signed in,

146
00:06:03,450 --> 00:06:05,850
‫and, also, if and only if,

147
00:06:05,850 --> 00:06:08,280
‫user is authenticated,

148
00:06:08,280 --> 00:06:10,530
‫and the, the request is coming

149
00:06:10,530 --> 00:06:12,120
‫from the same user.

150
00:06:12,120 --> 00:06:14,790
‫So maybe we can create a function,

151
00:06:14,790 --> 00:06:17,520
‫like isOwner for that, as well.

152
00:06:17,520 --> 00:06:18,540
‫So over here,

153
00:06:18,540 --> 00:06:19,710
‫I'm going to check

154
00:06:19,710 --> 00:06:24,690
‫for the request.auth.uuid, UID, right?

155
00:06:24,690 --> 00:06:27,480
‫So I'm going to return this, okay?

156
00:06:27,480 --> 00:06:29,100
‫So I'm going to do the same thing.

157
00:06:29,100 --> 00:06:31,230
‫I'm going to return it value,

158
00:06:31,230 --> 00:06:32,640
‫and this value will be the

159
00:06:32,640 --> 00:06:35,550
‫request.auth.UID itself.

160
00:06:35,550 --> 00:06:36,720
‫Then, I'm going to check

161
00:06:36,720 --> 00:06:40,620
‫if this is the same UID, like this,

162
00:06:40,620 --> 00:06:41,453
‫okay?

163
00:06:41,453 --> 00:06:42,900
‫And I'm going to check to see

164
00:06:42,900 --> 00:06:44,979
‫if this is equal to

165
00:06:44,979 --> 00:06:47,097
‫request that UUID.

166
00:06:47,097 --> 00:06:48,600
‫And in order to do that,

167
00:06:48,600 --> 00:06:49,950
‫actually we are going to take

168
00:06:49,950 --> 00:06:52,080
‫in some parameter over here,

169
00:06:52,080 --> 00:06:53,280
‫like a mail.

170
00:06:53,280 --> 00:06:54,113
‫Okay?

171
00:06:54,113 --> 00:06:55,620
‫I'm going to say mail over here,

172
00:06:55,620 --> 00:06:58,020
‫and mail over there, okay?

173
00:06:58,020 --> 00:06:59,880
‫And we're going to pass that parameter,

174
00:06:59,880 --> 00:07:04,880
‫pass that input, from the above rules.

175
00:07:05,940 --> 00:07:08,550
‫You will see what I mean in a minute,

176
00:07:08,550 --> 00:07:12,090
‫and it will check to see if this is true or not.

177
00:07:12,090 --> 00:07:13,140
‫Okay?

178
00:07:13,140 --> 00:07:14,760
‫And what I'm going to do,

179
00:07:14,760 --> 00:07:16,800
‫I'm going to come over here

180
00:07:16,800 --> 00:07:18,930
‫to update function,

181
00:07:18,930 --> 00:07:22,680
‫and say an and operant over here.

182
00:07:22,680 --> 00:07:24,030
‫So this will check,

183
00:07:24,030 --> 00:07:28,800
‫if isSignedIn and if isOwner, as well.

184
00:07:28,800 --> 00:07:29,700
‫So over here,

185
00:07:29,700 --> 00:07:33,510
‫I need to pass in a parameter, like email.

186
00:07:33,510 --> 00:07:36,210
‫So I'm going to say user email,

187
00:07:36,210 --> 00:07:38,880
‫which is the thing that I have

188
00:07:38,880 --> 00:07:42,610
‫in my account, in my Firestore database.

189
00:07:42,610 --> 00:07:44,910
‫Actually it would be much more easier

190
00:07:44,910 --> 00:07:49,530
‫if you had the UID in your Firestore as I said before.

191
00:07:49,530 --> 00:07:52,410
‫But right now, just for test purposes

192
00:07:52,410 --> 00:07:53,580
‫I'm just gonna do this,

193
00:07:53,580 --> 00:07:56,280
‫okay, isOwner user email.

194
00:07:56,280 --> 00:07:57,930
‫So this will crosscheck,

195
00:07:57,930 --> 00:08:02,930
‫if the user ID is actually match, is a match,

196
00:08:03,450 --> 00:08:06,720
‫and if it's a match, it'll update the value.

197
00:08:06,720 --> 00:08:09,960
‫Or if it's not a match, it won't update the value.

198
00:08:09,960 --> 00:08:10,793
‫Okay?

199
00:08:10,793 --> 00:08:13,200
‫It will check for this user UID.

200
00:08:13,200 --> 00:08:15,960
‫So this is how you create security rules.

201
00:08:15,960 --> 00:08:18,780
‫This is how you create custom functions

202
00:08:18,780 --> 00:08:20,610
‫inside of your security rules.

203
00:08:20,610 --> 00:08:23,100
‫You don't have to create these custom functions,

204
00:08:23,100 --> 00:08:24,810
‫it's just for test purposes.

205
00:08:24,810 --> 00:08:27,420
‫It's just for educational purposes only,

206
00:08:27,420 --> 00:08:28,497
‫right now.

207
00:08:28,497 --> 00:08:30,360
‫But if you want to do that,

208
00:08:30,360 --> 00:08:33,030
‫you can use this same thing,

209
00:08:33,030 --> 00:08:35,610
‫you can use the same structure,

210
00:08:35,610 --> 00:08:37,740
‫in order to create your own,

211
00:08:37,740 --> 00:08:40,710
‫and this will make your app much more secure.

212
00:08:40,710 --> 00:08:43,290
‫This will make your app vulnerable against

213
00:08:43,290 --> 00:08:45,090
‫this risk call attacks,

214
00:08:45,090 --> 00:08:47,070
‫so that people cannot download

215
00:08:47,070 --> 00:08:49,380
‫your entire database

216
00:08:49,380 --> 00:08:52,950
‫or change it in a way they want.

217
00:08:52,950 --> 00:08:56,130
‫So I believe this section was one

218
00:08:56,130 --> 00:08:59,010
‫one of the most important sections of the course,

219
00:08:59,010 --> 00:09:01,800
‫because you have learned a lot of new skills.

220
00:09:01,800 --> 00:09:03,060
‫I hope you enjoyed it.

221
00:09:03,060 --> 00:09:04,320
‫We're gonna stop here

222
00:09:04,320 --> 00:09:08,043
‫and continue with a CTF challenge.