Skip to content

Security: Kalebtes2031/Popcornly

Security

docs/SECURITY.md

Security Notes

Current Security Priorities

  1. Enforce least-privilege access for every collection.
  2. Prevent cross-user data access and ownership spoofing.
  3. Restrict writes to expected schema only.
  4. Lock immutable fields and deny unknown collections by default.

Hardened Firestore Rules (Implemented)

Current firestore.rules now enforces:

  1. users collection:
  2. Read only by owner (request.auth.uid == userId).
  3. Create requires exact keys and type checks (uid, email, username, createdAt).
  4. Update only allows username mutation; uid, email, createdAt are immutable.
  5. Delete denied.
  6. favorites collection:
  7. Read/delete only for owner (resource.data.userId == request.auth.uid).
  8. Create requires strict schema (userId, itemId, type, title, poster, savedAt).
  9. type limited to movie or tv.
  10. Update denied.
  11. metrics and tvMetrics collections:
  12. Public read allowed.
  13. Create requires strict schema and count == 1.
  14. Update only allows count increment by exactly +1; all other fields immutable.
  15. Delete denied.
  16. Catch-all deny rule for all undeclared collections.

Manual Validation (Recommended)

Use Firebase Emulator Suite to validate allow/deny behavior before deploy:

firebase emulators:start --only firestore

Validation matrix to run manually from app or test scripts:

  1. users:
  2. Owner can create/read/update username.
  3. Non-owner cannot read or write.
  4. Owner cannot change email/uid/createdAt.
  5. favorites:
  6. Auth user can create favorite for own userId.
  7. Auth user cannot create favorite for another userId.
  8. Non-owner cannot read/delete other user favorite.
  9. metrics/tvMetrics:
  10. Auth user can create metric document with valid fields.
  11. Update with count + 1 succeeds.
  12. Update changing title/id/searchTerm fails.
  13. Unauthenticated write fails.

Deployment

firebase deploy --only firestore:rules
firebase deploy --only firestore:indexes

Automated Rules Testing

Test file: tests/firestore.rules.test.cjs

Run:

npm run test:firestore-rules

Note: Firestore emulator requires Java installed and available on PATH.

The test suite runs against Firestore emulator and verifies both allow and deny paths for users, favorites, and metrics.

Follow-up

  1. Add automated Firestore rules tests in CI (@firebase/rules-unit-testing).
  2. Add Firebase App Check enforcement for abuse resistance.
  3. Move metrics writes to Cloud Functions if stricter anti-abuse controls are needed.
  4. Keep OpenAI key only in Firebase Functions secrets (OPENAI_API_KEY).

There aren't any published security advisories