ship-safe 1.0.1 → 2.0.0

package/configs/firebase/security-checklist.md

@@ -0,0 +1,236 @@
+# Firebase Security Checklist
+
+**Complete this checklist before launching your Firebase-powered app.**
+
+Based on common Firebase security vulnerabilities found in bug bounty programs and penetration tests.
+
+---
+
+## Critical: Security Rules
+
+### 1. [ ] NOT using test mode rules
+
+**Check your Firestore rules don't contain:**
+```javascript
+// DANGEROUS: Test mode - allows anyone to read/write
+allow read, write: if true;
+
+// DANGEROUS: Time-based test mode (often forgotten)
+allow read, write: if request.time < timestamp.date(2024, 12, 31);
+```
+
+**Fix:** Replace with proper authentication-based rules.
+
+### 2. [ ] Firestore rules require authentication
+
+```javascript
+// GOOD: Requires authentication
+allow read, write: if request.auth != null;
+
+// BETTER: Requires authentication AND ownership
+allow read, write: if request.auth.uid == userId;
+```
+
+### 3. [ ] Storage rules have file type validation
+
+```javascript
+// GOOD: Only allow specific image types
+allow write: if request.resource.contentType.matches('image/.*')
+  && request.resource.contentType in ['image/jpeg', 'image/png', 'image/webp'];
+```
+
+### 4. [ ] Storage rules have file size limits
+
+```javascript
+// GOOD: Limit to 5MB
+allow write: if request.resource.size < 5 * 1024 * 1024;
+```
+
+### 5. [ ] Default deny rule at the end
+
+```javascript
+// Catch-all: deny everything not explicitly allowed
+match /{document=**} {
+  allow read, write: if false;
+}
+```
+
+---
+
+## Critical: API Keys
+
+### 6. [ ] API key restrictions configured
+
+Firebase Console > Project Settings > API Keys (in Google Cloud Console)
+
+- [ ] Application restrictions (HTTP referrers for web, app signatures for mobile)
+- [ ] API restrictions (only enable APIs you use)
+
+### 7. [ ] Firebase config not containing sensitive data
+
+Your `firebaseConfig` is designed to be public, but verify:
+
+```javascript
+// These are OK to be public:
+const firebaseConfig = {
+  apiKey: "...",           // OK - restricted by security rules
+  authDomain: "...",       // OK - public
+  projectId: "...",        // OK - public
+  storageBucket: "...",    // OK - protected by storage rules
+  messagingSenderId: "...", // OK - public
+  appId: "..."             // OK - public
+};
+
+// NEVER include these in client code:
+// - Service account private keys
+// - Admin SDK credentials
+// - Database URLs with embedded secrets
+```
+
+### 8. [ ] Service account keys not in client code
+
+```bash
+# Scan for service account files
+npx ship-safe scan .
+
+# Or manually search
+find . -name "*.json" -exec grep -l "private_key" {} \;
+grep -r "BEGIN PRIVATE KEY" .
+```
+
+---
+
+## High: Authentication
+
+### 9. [ ] Email enumeration protection enabled
+
+Firebase Console > Authentication > Settings > User Actions
+- [ ] Email enumeration protection = ON
+
+This prevents attackers from discovering valid email addresses.
+
+### 10. [ ] Password requirements configured
+
+Firebase Console > Authentication > Sign-in method > Email/Password
+- [ ] Minimum password length (recommend 8+)
+- [ ] Require uppercase/lowercase/numbers (if supported)
+
+### 11. [ ] OAuth providers properly configured
+
+For each OAuth provider (Google, Facebook, etc.):
+- [ ] Authorized domains list is correct
+- [ ] Callback URLs are HTTPS only
+- [ ] Client secrets are not exposed
+
+### 12. [ ] Phone auth abuse protection
+
+If using phone authentication:
+- [ ] SMS region policy configured (limit to countries you serve)
+- [ ] App verification enabled
+- [ ] Rate limiting understood
+
+---
+
+## High: Database Security
+
+### 13. [ ] No sensitive data in public collections
+
+Review your data structure:
+- [ ] User emails not in publicly readable collections
+- [ ] Payment info not in Firestore (use Stripe)
+- [ ] Passwords never stored (use Firebase Auth)
+
+### 14. [ ] Indexes don't expose data patterns
+
+Firebase Console > Firestore > Indexes
+
+Complex indexes can reveal data structure. Review each index.
+
+### 15. [ ] Backup and recovery plan exists
+
+Firebase Console > Firestore > Backups
+- [ ] Automated backups enabled
+- [ ] Tested restore process
+
+---
+
+## Medium: Monitoring & Alerts
+
+### 16. [ ] Firebase App Check enabled
+
+Firebase Console > App Check
+- [ ] reCAPTCHA for web
+- [ ] Device Check for iOS
+- [ ] Play Integrity for Android
+
+App Check helps prevent abuse from unauthorized clients.
+
+### 17. [ ] Budget alerts configured
+
+Google Cloud Console > Billing > Budgets & alerts
+- [ ] Budget set for expected usage
+- [ ] Alerts at 50%, 90%, 100%
+
+Prevents surprise bills from attacks or bugs.
+
+### 18. [ ] Security rules monitoring
+
+Firebase Console > Firestore > Rules > Monitor
+- [ ] Review denied requests regularly
+- [ ] Set up alerts for unusual patterns
+
+---
+
+## Quick Security Audit Commands
+
+### Check for exposed Firebase configs
+
+```bash
+# Search for Firebase config in your codebase
+grep -r "firebaseConfig" --include="*.js" --include="*.ts" .
+grep -r "apiKey.*firebase" --include="*.js" --include="*.ts" .
+```
+
+### Test your security rules
+
+```bash
+# Install Firebase Emulator
+npm install -g firebase-tools
+
+# Run security rules tests
+firebase emulators:start --only firestore
+# Then run your test suite against localhost
+```
+
+### Scan for secrets
+
+```bash
+npx ship-safe scan .
+```
+
+---
+
+## Testing Checklist
+
+Before launch, test these scenarios:
+
+1. [ ] Unauthenticated user cannot read private data
+2. [ ] User A cannot read User B's private data
+3. [ ] User cannot write to another user's document
+4. [ ] File uploads are rejected if wrong type
+5. [ ] Large file uploads are rejected
+6. [ ] Rate limiting works (if implemented)
+
+---
+
+## Firebase Security Resources
+
+- [Firebase Security Rules Documentation](https://firebase.google.com/docs/rules)
+- [Firebase Security Checklist](https://firebase.google.com/support/guides/security-checklist)
+- [Firebase App Check](https://firebase.google.com/docs/app-check)
+
+---
+
+**Remember: Firebase makes it easy to build fast, but "test mode" is not a security strategy.**
+
+Run `npx ship-safe scan .` to check for leaked keys before every deploy.

package/configs/firebase/storage-rules.txt

@@ -0,0 +1,206 @@
+// =============================================================================
+// FIREBASE STORAGE SECURITY RULES TEMPLATES
+// =============================================================================
+//
+// Copy these rules to your Firebase Console > Storage > Rules
+//
+// WHY THIS MATTERS:
+// - Default rules may allow anyone to upload/download files
+// - Uploaded files can contain malware or illegal content
+// - Storage costs can explode if not properly secured
+//
+// HOW TO USE:
+// 1. Go to Firebase Console > Storage > Rules
+// 2. Replace the default rules with these templates
+// 3. Customize paths and limits for your app
+// 4. Publish and test thoroughly
+//
+// =============================================================================
+
+rules_version = '2';
+service firebase.storage {
+  match /b/{bucket}/o {
+
+    // =========================================================================
+    // HELPER FUNCTIONS
+    // =========================================================================
+
+    // Check if user is authenticated
+    function isAuthenticated() {
+      return request.auth != null;
+    }
+
+    // Get the authenticated user's ID
+    function userId() {
+      return request.auth.uid;
+    }
+
+    // Check file size (in bytes)
+    function isUnderMaxSize(maxSizeMB) {
+      return request.resource.size < maxSizeMB * 1024 * 1024;
+    }
+
+    // Check if file is an image
+    function isImage() {
+      return request.resource.contentType.matches('image/.*');
+    }
+
+    // Check if file is a specific image type
+    function isImageType(types) {
+      return request.resource.contentType in types;
+    }
+
+    // Check if file is a document
+    function isDocument() {
+      return request.resource.contentType in [
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+      ];
+    }
+
+    // =========================================================================
+    // PATTERN 1: USER AVATARS (User's own files)
+    // =========================================================================
+
+    match /avatars/{userId}/{fileName} {
+      // Anyone can view avatars (they're public profile pictures)
+      allow read: if true;
+
+      // Users can only upload to their own folder
+      allow write: if isAuthenticated()
+        && request.auth.uid == userId
+        && isImage()
+        && isUnderMaxSize(2)  // 2MB max
+        && isImageType(['image/jpeg', 'image/png', 'image/webp']);
+    }
+
+    // =========================================================================
+    // PATTERN 2: PRIVATE USER FILES
+    // =========================================================================
+
+    match /users/{userId}/private/{allPaths=**} {
+      // Users can only access their own private files
+      allow read: if isAuthenticated() && request.auth.uid == userId;
+
+      // Users can upload to their own folder with size limits
+      allow write: if isAuthenticated()
+        && request.auth.uid == userId
+        && isUnderMaxSize(10);  // 10MB max
+
+      // Users can delete their own files
+      allow delete: if isAuthenticated() && request.auth.uid == userId;
+    }
+
+    // =========================================================================
+    // PATTERN 3: SHARED/PUBLIC FILES (Authenticated upload, public read)
+    // =========================================================================
+
+    match /public/{allPaths=**} {
+      // Anyone can read public files
+      allow read: if true;
+
+      // Only authenticated users can upload
+      allow write: if isAuthenticated()
+        && isUnderMaxSize(5)
+        && (isImage() || isDocument());
+
+      // Only admins can delete (implement admin check via custom claims)
+      allow delete: if request.auth.token.admin == true;
+    }
+
+    // =========================================================================
+    // PATTERN 4: ORGANIZATION FILES
+    // =========================================================================
+
+    match /organizations/{orgId}/{allPaths=**} {
+      // Check org membership via custom claims
+      function isOrgMember() {
+        return request.auth.token.orgId == orgId;
+      }
+
+      function isOrgAdmin() {
+        return request.auth.token.orgId == orgId
+          && request.auth.token.orgRole == 'admin';
+      }
+
+      // Org members can read
+      allow read: if isAuthenticated() && isOrgMember();
+
+      // Org members can upload
+      allow create: if isAuthenticated()
+        && isOrgMember()
+        && isUnderMaxSize(50);  // 50MB for org files
+
+      // Org admins can delete
+      allow delete: if isAuthenticated() && isOrgAdmin();
+    }
+
+    // =========================================================================
+    // PATTERN 5: TEMPORARY UPLOADS (with expiration)
+    // =========================================================================
+
+    match /temp/{uploadId} {
+      // Anyone authenticated can upload to temp
+      allow create: if isAuthenticated()
+        && isUnderMaxSize(10)
+        // Set metadata for cleanup jobs
+        && request.resource.metadata.uploadedBy == userId()
+        && request.resource.metadata.expiresAt != null;
+
+      // Only the uploader can read/delete their temp files
+      allow read, delete: if isAuthenticated()
+        && resource.metadata.uploadedBy == userId();
+    }
+
+    // =========================================================================
+    // PATTERN 6: STRICT IMAGE UPLOADS (Profile pictures, etc.)
+    // =========================================================================
+
+    match /images/{imageId} {
+      // Public read
+      allow read: if true;
+
+      // Strict upload requirements
+      allow create: if isAuthenticated()
+        // Must be an allowed image type
+        && isImageType(['image/jpeg', 'image/png', 'image/gif', 'image/webp'])
+        // Max 5MB
+        && isUnderMaxSize(5)
+        // Must have dimensions metadata (set by client)
+        && request.resource.metadata.width != null
+        && request.resource.metadata.height != null
+        // Reasonable dimensions (prevent huge images)
+        && int(request.resource.metadata.width) <= 4096
+        && int(request.resource.metadata.height) <= 4096;
+    }
+
+    // =========================================================================
+    // ANTI-PATTERNS: NEVER DO THIS
+    // =========================================================================
+
+    // BAD: Allows anyone to read/write everything
+    // match /{allPaths=**} {
+    //   allow read, write: if true;
+    // }
+
+    // BAD: No file type validation (allows malware uploads)
+    // match /uploads/{file} {
+    //   allow write: if request.auth != null;
+    // }
+
+    // BAD: No size limits (allows storage cost attacks)
+    // match /files/{file} {
+    //   allow write: if request.auth != null;
+    // }
+
+    // =========================================================================
+    // DEFAULT: DENY ALL (Safety net)
+    // =========================================================================
+
+    // Deny access to any path not explicitly defined above
+    match /{allPaths=**} {
+      allow read, write: if false;
+    }
+  }
+}

package/configs/supabase/rls-templates.sql

@@ -0,0 +1,242 @@
+-- =============================================================================
+-- SUPABASE ROW LEVEL SECURITY (RLS) TEMPLATES
+-- =============================================================================
+--
+-- Copy-paste these policies to secure your Supabase tables.
+--
+-- WHY RLS MATTERS:
+-- Without RLS, anyone with your anon key can read/write ALL data.
+-- 83% of exposed Supabase databases have RLS misconfigurations.
+-- Source: https://byteiota.com/supabase-security-flaw-170-apps-exposed-by-missing-rls/
+--
+-- HOW TO USE:
+-- 1. Enable RLS on your table: ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;
+-- 2. Copy the relevant policy below
+-- 3. Replace 'your_table' with your actual table name
+-- 4. Test with different user contexts
+--
+-- =============================================================================
+
+
+-- =============================================================================
+-- STEP 1: ALWAYS ENABLE RLS FIRST
+-- =============================================================================
+
+-- Enable RLS on a table (REQUIRED before adding policies)
+ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;
+
+-- Force RLS for table owners too (recommended for security)
+ALTER TABLE your_table FORCE ROW LEVEL SECURITY;
+
+
+-- =============================================================================
+-- PATTERN 1: USER OWNS THEIR DATA
+-- =============================================================================
+-- Use when: Each user should only see/edit their own records
+-- Example tables: profiles, settings, user_preferences
+
+-- Users can only SELECT their own rows
+CREATE POLICY "Users can view own data"
+ON your_table
+FOR SELECT
+USING (auth.uid() = user_id);
+
+-- Users can only INSERT rows with their own user_id
+CREATE POLICY "Users can insert own data"
+ON your_table
+FOR INSERT
+WITH CHECK (auth.uid() = user_id);
+
+-- Users can only UPDATE their own rows
+CREATE POLICY "Users can update own data"
+ON your_table
+FOR UPDATE
+USING (auth.uid() = user_id)
+WITH CHECK (auth.uid() = user_id);
+
+-- Users can only DELETE their own rows
+CREATE POLICY "Users can delete own data"
+ON your_table
+FOR DELETE
+USING (auth.uid() = user_id);
+
+-- COMBINED: All operations for own data (simpler but less granular)
+CREATE POLICY "Users manage own data"
+ON your_table
+FOR ALL
+USING (auth.uid() = user_id)
+WITH CHECK (auth.uid() = user_id);
+
+
+-- =============================================================================
+-- PATTERN 2: ORGANIZATION/TEAM BASED ACCESS
+-- =============================================================================
+-- Use when: Users belong to orgs and should see all org data
+-- Example tables: projects, documents, team_settings
+
+-- First, create a helper function to get user's org
+CREATE OR REPLACE FUNCTION get_user_org_id()
+RETURNS UUID AS $$
+  SELECT org_id FROM profiles WHERE id = auth.uid()
+$$ LANGUAGE SQL SECURITY DEFINER;
+
+-- Users can view all data in their organization
+CREATE POLICY "Org members can view org data"
+ON your_table
+FOR SELECT
+USING (org_id = get_user_org_id());
+
+-- Users can insert data into their organization
+CREATE POLICY "Org members can insert org data"
+ON your_table
+FOR INSERT
+WITH CHECK (org_id = get_user_org_id());
+
+-- Only allow updates to org data
+CREATE POLICY "Org members can update org data"
+ON your_table
+FOR UPDATE
+USING (org_id = get_user_org_id())
+WITH CHECK (org_id = get_user_org_id());
+
+
+-- =============================================================================
+-- PATTERN 3: ROLE-BASED ACCESS CONTROL (RBAC)
+-- =============================================================================
+-- Use when: Different users have different permission levels
+-- Example: admin, editor, viewer roles
+
+-- Helper function to check user role
+CREATE OR REPLACE FUNCTION get_user_role()
+RETURNS TEXT AS $$
+  SELECT role FROM profiles WHERE id = auth.uid()
+$$ LANGUAGE SQL SECURITY DEFINER;
+
+-- Anyone authenticated can view (public within app)
+CREATE POLICY "Authenticated users can view"
+ON your_table
+FOR SELECT
+USING (auth.role() = 'authenticated');
+
+-- Only admins and editors can insert
+CREATE POLICY "Admins and editors can insert"
+ON your_table
+FOR INSERT
+WITH CHECK (get_user_role() IN ('admin', 'editor'));
+
+-- Only admins can delete
+CREATE POLICY "Only admins can delete"
+ON your_table
+FOR DELETE
+USING (get_user_role() = 'admin');
+
+
+-- =============================================================================
+-- PATTERN 4: PUBLIC READ, AUTHENTICATED WRITE
+-- =============================================================================
+-- Use when: Content is public but only logged-in users can contribute
+-- Example tables: blog_posts, comments, public_profiles
+
+-- Anyone can read (including anonymous)
+CREATE POLICY "Public read access"
+ON your_table
+FOR SELECT
+USING (true);
+
+-- Only authenticated users can insert
+CREATE POLICY "Authenticated users can insert"
+ON your_table
+FOR INSERT
+WITH CHECK (auth.role() = 'authenticated');
+
+-- Users can only update their own posts
+CREATE POLICY "Users can update own posts"
+ON your_table
+FOR UPDATE
+USING (auth.uid() = author_id)
+WITH CHECK (auth.uid() = author_id);
+
+
+-- =============================================================================
+-- PATTERN 5: PRIVATE BY DEFAULT (Explicit sharing)
+-- =============================================================================
+-- Use when: Data is private unless explicitly shared
+-- Example tables: documents, files with sharing
+
+-- Owner can always access
+CREATE POLICY "Owner full access"
+ON documents
+FOR ALL
+USING (auth.uid() = owner_id)
+WITH CHECK (auth.uid() = owner_id);
+
+-- Shared users can view (requires a shares table)
+CREATE POLICY "Shared users can view"
+ON documents
+FOR SELECT
+USING (
+  auth.uid() = owner_id
+  OR
+  EXISTS (
+    SELECT 1 FROM document_shares
+    WHERE document_shares.document_id = documents.id
+    AND document_shares.user_id = auth.uid()
+  )
+);
+
+
+-- =============================================================================
+-- PATTERN 6: TIME-BASED ACCESS
+-- =============================================================================
+-- Use when: Content has publish dates or expiration
+-- Example tables: scheduled_posts, limited_offers
+
+-- Only show published content
+CREATE POLICY "Show only published content"
+ON posts
+FOR SELECT
+USING (
+  published_at IS NOT NULL
+  AND published_at <= NOW()
+  AND (expires_at IS NULL OR expires_at > NOW())
+);
+
+-- Authors can always see their drafts
+CREATE POLICY "Authors see own drafts"
+ON posts
+FOR SELECT
+USING (auth.uid() = author_id);
+
+
+-- =============================================================================
+-- ANTI-PATTERNS: DON'T DO THIS
+-- =============================================================================
+
+-- BAD: Allows anyone to read everything
+-- CREATE POLICY "bad_policy" ON users FOR SELECT USING (true);
+
+-- BAD: No WITH CHECK means users could insert data for other users
+-- CREATE POLICY "bad_insert" ON posts FOR INSERT WITH CHECK (true);
+
+-- BAD: Missing USING clause on UPDATE allows updating any row
+-- CREATE POLICY "bad_update" ON posts FOR UPDATE WITH CHECK (auth.uid() = user_id);
+
+
+-- =============================================================================
+-- TESTING YOUR POLICIES
+-- =============================================================================
+
+-- Test as a specific user (in SQL editor)
+-- SET request.jwt.claim.sub = 'user-uuid-here';
+-- SELECT * FROM your_table;
+
+-- Check existing policies on a table
+SELECT * FROM pg_policies WHERE tablename = 'your_table';
+
+-- List all tables without RLS enabled (DANGER!)
+SELECT schemaname, tablename
+FROM pg_tables
+WHERE schemaname = 'public'
+AND tablename NOT IN (
+  SELECT tablename FROM pg_policies
+);