security(firestore): fix broken access control on admin key#392
Merged
Aditya948351 merged 1 commit intoMay 31, 2026
Merged
Conversation
…ns and migrate to custom claims
Contributor
Author
|
hey @Aditya948351 kindly review this PR. |
Aditya948351
approved these changes
May 31, 2026
Collaborator
Aditya948351
left a comment
Aditya948351
left a comment
There was a problem hiding this comment.
Crucial security fix for the admin config. Thanks for patching this up securely.
Contributor
Author
thankyou sir. kindly merge |
Collaborator
|
Do star the repo! Successfully merging this and loved the changes you did. |
Aditya948351
added
gssoc26
Contributor
Author
|
thankyou sir. @Aditya948351 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
We identified a critical security vulnerability (broken access control) where unauthenticated users could access the superadmin_keys and admin_keys Firestore collections directly via the frontend client SDK. This allowed anyone to query the secret registration keys via the browser console and use them to gain unauthorized administrative privileges.
Solution Implemented
To resolve this vulnerability and decouple client-side verification from our core database infrastructure, the following structural changes were made:
Firestore Rules Fixed: Updated firestore.rules to reject public reads (allow read: if isSuperAdmin();) on both key collections. This completely blocks unauthorized client-side queries via the Client SDK.
Centralized Admin Auth SDK: Updated the backend Firebase Admin utility loader to export a secure getAuth instance alongside getFirestore.
Migration to Custom Claims: Refactored the CLI seed scripts and verification logic away from the vulnerable Firebase Client SDK over to the Firebase Admin SDK. Privileges are now assigned via cryptographically secure Custom User Claims (superadmin: true), completely removing raw database key exposures.
Normalized Claim Structure: Standardized the custom claim payload structure to use superadmin (without underscores) to guarantee a 1:1 match with the dynamic lookup functions inside our production security rules.
Fixes #323
Type of change
How Has This Been Tested?
Checklist: