I've set Firebase's security to make firepads IDs secret.

[This commit doesn't do anything by itself, just documents the config change]
cben · Sep 11, 2013 · 4ff7214 · 4ff7214
1 parent 18eb22d
commit 4ff7214
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/firebase-config/security-rules.json b/firebase-config/security-rules.json
@@ -0,0 +1,28 @@
+/* Based on firepad's examples/security/secret-url.json */
+{
+  "rules": {
+    "firepads": {
+      "$secretid": {
+        "history": {
+          ".read": true,
+          "$revision": {
+            /* Prevent overwriting existing revisions. */
+            ".write": "data.val() === null"
+          }
+        },
+        "checkpoint": {
+          ".read": true,
+          /* Ensure author of checkpoint is the same as the author of the revision they're checkpointing. */
+          ".write": "root.child($secretid).child('history').child(newData.child('id').val()).child('a').val() === newData.child('a').val()",
+          ".validate": "newData.hasChildren(['a', 'o', 'id'])"
+        },
+        "users": {
+          ".read": true,
+          "$user": {
+            ".write": true
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/firebase-config/security-test.sh b/firebase-config/security-test.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# TODO: learn to write this kind of theng in Node.js.
+
+fails=0
+
+firebase=mathdown-alpha.firebaseio.com
+# Can't read list of pads
+curl --silent --head -X GET https://$firebase/firepads.json | grep 403 || let fails++
+# Can read pad with known name
+curl --silent --head -X GET https://$firebase/firepads/help/history.json | grep 200 || let fails++
+curl --silent --head -X GET https://$firebase/firepads/help/checkpoint.json | grep 200 || let fails++
+curl --silent --head -X GET https://$firebase/firepads/help/users.json | grep 200 || let fails++
+
+echo
+if [ $fails != 0 ]; then
+  echo "$fails FAILURES"
+else
+  echo "PASS"
+fi
+exit $fails