ship-safe 1.0.1 → 3.0.0

package/configs/firebase/firestore-rules.txt

@@ -0,0 +1,215 @@
+// =============================================================================
+// FIREBASE FIRESTORE SECURITY RULES TEMPLATES
+// =============================================================================
+//
+// Copy these rules to your Firebase Console > Firestore > Rules
+//
+// WHY THIS MATTERS:
+// - Default test mode rules allow ANYONE to read/write ALL data
+// - Test mode is the #1 cause of Firebase data breaches
+// - 40% of Firebase apps have misconfigured security rules
+//
+// HOW TO USE:
+// 1. Go to Firebase Console > Firestore Database > Rules
+// 2. Replace the default rules with these templates
+// 3. Customize for your data structure
+// 4. Publish and test thoroughly
+//
+// =============================================================================
+
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+
+    // =========================================================================
+    // HELPER FUNCTIONS
+    // =========================================================================
+
+    // Check if user is authenticated
+    function isAuthenticated() {
+      return request.auth != null;
+    }
+
+    // Get the authenticated user's ID
+    function userId() {
+      return request.auth.uid;
+    }
+
+    // Check if user owns a document (document has a userId field)
+    function isOwner() {
+      return isAuthenticated() && resource.data.userId == userId();
+    }
+
+    // Check if user is creating a document with their own userId
+    function isCreatingOwn() {
+      return isAuthenticated() && request.resource.data.userId == userId();
+    }
+
+    // Check if user has a specific role (requires a users collection with role field)
+    function hasRole(role) {
+      return isAuthenticated() &&
+        get(/databases/$(database)/documents/users/$(userId())).data.role == role;
+    }
+
+    // Check if user is admin
+    function isAdmin() {
+      return hasRole('admin');
+    }
+
+    // Validate that required fields exist
+    function hasRequiredFields(fields) {
+      return request.resource.data.keys().hasAll(fields);
+    }
+
+    // Check if only allowed fields are being modified
+    function onlyUpdating(fields) {
+      return request.resource.data.diff(resource.data).affectedKeys().hasOnly(fields);
+    }
+
+    // =========================================================================
+    // PATTERN 1: USER PROFILES (User owns their profile)
+    // =========================================================================
+
+    match /users/{userId} {
+      // Users can read their own profile
+      allow read: if isAuthenticated() && request.auth.uid == userId;
+
+      // Users can create their own profile
+      allow create: if isAuthenticated()
+        && request.auth.uid == userId
+        && hasRequiredFields(['email', 'createdAt'])
+        && request.resource.data.createdAt == request.time;
+
+      // Users can update their own profile (except role)
+      allow update: if isAuthenticated()
+        && request.auth.uid == userId
+        && !request.resource.data.diff(resource.data).affectedKeys().hasAny(['role']);
+
+      // Only admins can delete users
+      allow delete: if isAdmin();
+    }
+
+    // =========================================================================
+    // PATTERN 2: PRIVATE DATA (User's own data)
+    // =========================================================================
+
+    match /private/{userId}/{document=**} {
+      // Users can only access their own private data
+      allow read, write: if isAuthenticated() && request.auth.uid == userId;
+    }
+
+    // =========================================================================
+    // PATTERN 3: POSTS/CONTENT (Public read, authenticated write)
+    // =========================================================================
+
+    match /posts/{postId} {
+      // Anyone can read published posts
+      allow read: if resource.data.published == true
+        || (isAuthenticated() && resource.data.authorId == userId());
+
+      // Authenticated users can create posts
+      allow create: if isAuthenticated()
+        && request.resource.data.authorId == userId()
+        && hasRequiredFields(['title', 'content', 'authorId', 'createdAt'])
+        && request.resource.data.createdAt == request.time;
+
+      // Authors can update their own posts
+      allow update: if isAuthenticated()
+        && resource.data.authorId == userId()
+        && request.resource.data.authorId == userId();  // Can't change author
+
+      // Authors and admins can delete
+      allow delete: if isAuthenticated()
+        && (resource.data.authorId == userId() || isAdmin());
+    }
+
+    // =========================================================================
+    // PATTERN 4: ORGANIZATION/TEAM DATA
+    // =========================================================================
+
+    match /organizations/{orgId} {
+      // Function to check org membership
+      function isOrgMember() {
+        return isAuthenticated() &&
+          exists(/databases/$(database)/documents/organizations/$(orgId)/members/$(userId()));
+      }
+
+      function isOrgAdmin() {
+        return isAuthenticated() &&
+          get(/databases/$(database)/documents/organizations/$(orgId)/members/$(userId())).data.role == 'admin';
+      }
+
+      // Org members can read org data
+      allow read: if isOrgMember();
+
+      // Only org admins can update org settings
+      allow update: if isOrgAdmin();
+
+      // Nested collection: org members
+      match /members/{memberId} {
+        allow read: if isOrgMember();
+        allow write: if isOrgAdmin();
+      }
+
+      // Nested collection: org projects
+      match /projects/{projectId} {
+        allow read: if isOrgMember();
+        allow create: if isOrgMember()
+          && request.resource.data.createdBy == userId();
+        allow update: if isOrgMember();
+        allow delete: if isOrgAdmin();
+      }
+    }
+
+    // =========================================================================
+    // PATTERN 5: RATE LIMITING (Using timestamps)
+    // =========================================================================
+
+    match /rateLimited/{docId} {
+      // Allow creation only if user hasn't created one in the last minute
+      allow create: if isAuthenticated()
+        && (!exists(/databases/$(database)/documents/rateLimited/$(userId()))
+          || get(/databases/$(database)/documents/rateLimited/$(userId())).data.lastAction < request.time - duration.value(1, 'm'));
+    }
+
+    // =========================================================================
+    // PATTERN 6: READ-ONLY PUBLIC DATA
+    // =========================================================================
+
+    match /public/{document=**} {
+      // Anyone can read public data
+      allow read: if true;
+
+      // Only admins can write
+      allow write: if isAdmin();
+    }
+
+    // =========================================================================
+    // ANTI-PATTERNS: NEVER DO THIS
+    // =========================================================================
+
+    // BAD: Allows anyone to read/write everything
+    // match /{document=**} {
+    //   allow read, write: if true;
+    // }
+
+    // BAD: Test mode rules (auto-generated, REMOVE before production)
+    // match /{document=**} {
+    //   allow read, write: if request.time < timestamp.date(2024, 12, 31);
+    // }
+
+    // BAD: Checking auth but not ownership
+    // match /users/{userId} {
+    //   allow read, write: if request.auth != null;  // Any user can access any user!
+    // }
+
+    // =========================================================================
+    // DEFAULT: DENY ALL (Safety net)
+    // =========================================================================
+
+    // Deny access to any collection not explicitly defined above
+    match /{document=**} {
+      allow read, write: if false;
+    }
+  }
+}

package/configs/firebase/security-checklist.md

@@ -0,0 +1,236 @@
+# Firebase Security Checklist
+
+**Complete this checklist before launching your Firebase-powered app.**
+
+Based on common Firebase security vulnerabilities found in bug bounty programs and penetration tests.
+
+---
+
+## Critical: Security Rules
+
+### 1. [ ] NOT using test mode rules
+
+**Check your Firestore rules don't contain:**
+```javascript
+// DANGEROUS: Test mode - allows anyone to read/write
+allow read, write: if true;
+
+// DANGEROUS: Time-based test mode (often forgotten)
+allow read, write: if request.time < timestamp.date(2024, 12, 31);
+```
+
+**Fix:** Replace with proper authentication-based rules.
+
+### 2. [ ] Firestore rules require authentication
+
+```javascript
+// GOOD: Requires authentication
+allow read, write: if request.auth != null;
+
+// BETTER: Requires authentication AND ownership
+allow read, write: if request.auth.uid == userId;
+```
+
+### 3. [ ] Storage rules have file type validation
+
+```javascript
+// GOOD: Only allow specific image types
+allow write: if request.resource.contentType.matches('image/.*')
+  && request.resource.contentType in ['image/jpeg', 'image/png', 'image/webp'];
+```
+
+### 4. [ ] Storage rules have file size limits
+
+```javascript
+// GOOD: Limit to 5MB
+allow write: if request.resource.size < 5 * 1024 * 1024;
+```
+
+### 5. [ ] Default deny rule at the end
+
+```javascript
+// Catch-all: deny everything not explicitly allowed
+match /{document=**} {
+  allow read, write: if false;
+}
+```
+
+---
+
+## Critical: API Keys
+
+### 6. [ ] API key restrictions configured
+
+Firebase Console > Project Settings > API Keys (in Google Cloud Console)
+
+- [ ] Application restrictions (HTTP referrers for web, app signatures for mobile)
+- [ ] API restrictions (only enable APIs you use)
+
+### 7. [ ] Firebase config not containing sensitive data
+
+Your `firebaseConfig` is designed to be public, but verify:
+
+```javascript
+// These are OK to be public:
+const firebaseConfig = {
+  apiKey: "...",           // OK - restricted by security rules
+  authDomain: "...",       // OK - public
+  projectId: "...",        // OK - public
+  storageBucket: "...",    // OK - protected by storage rules
+  messagingSenderId: "...", // OK - public
+  appId: "..."             // OK - public
+};
+
+// NEVER include these in client code:
+// - Service account private keys
+// - Admin SDK credentials
+// - Database URLs with embedded secrets
+```
+
+### 8. [ ] Service account keys not in client code
+
+```bash
+# Scan for service account files
+npx ship-safe scan .
+
+# Or manually search
+find . -name "*.json" -exec grep -l "private_key" {} \;
+grep -r "BEGIN PRIVATE KEY" .
+```
+
+---
+
+## High: Authentication
+
+### 9. [ ] Email enumeration protection enabled
+
+Firebase Console > Authentication > Settings > User Actions
+- [ ] Email enumeration protection = ON
+
+This prevents attackers from discovering valid email addresses.
+
+### 10. [ ] Password requirements configured
+
+Firebase Console > Authentication > Sign-in method > Email/Password
+- [ ] Minimum password length (recommend 8+)
+- [ ] Require uppercase/lowercase/numbers (if supported)
+
+### 11. [ ] OAuth providers properly configured
+
+For each OAuth provider (Google, Facebook, etc.):
+- [ ] Authorized domains list is correct
+- [ ] Callback URLs are HTTPS only
+- [ ] Client secrets are not exposed
+
+### 12. [ ] Phone auth abuse protection
+
+If using phone authentication:
+- [ ] SMS region policy configured (limit to countries you serve)
+- [ ] App verification enabled
+- [ ] Rate limiting understood
+
+---
+
+## High: Database Security
+
+### 13. [ ] No sensitive data in public collections
+
+Review your data structure:
+- [ ] User emails not in publicly readable collections
+- [ ] Payment info not in Firestore (use Stripe)
+- [ ] Passwords never stored (use Firebase Auth)
+
+### 14. [ ] Indexes don't expose data patterns
+
+Firebase Console > Firestore > Indexes
+
+Complex indexes can reveal data structure. Review each index.
+
+### 15. [ ] Backup and recovery plan exists
+
+Firebase Console > Firestore > Backups
+- [ ] Automated backups enabled
+- [ ] Tested restore process
+
+---
+
+## Medium: Monitoring & Alerts
+
+### 16. [ ] Firebase App Check enabled
+
+Firebase Console > App Check
+- [ ] reCAPTCHA for web
+- [ ] Device Check for iOS
+- [ ] Play Integrity for Android
+
+App Check helps prevent abuse from unauthorized clients.
+
+### 17. [ ] Budget alerts configured
+
+Google Cloud Console > Billing > Budgets & alerts
+- [ ] Budget set for expected usage
+- [ ] Alerts at 50%, 90%, 100%
+
+Prevents surprise bills from attacks or bugs.
+
+### 18. [ ] Security rules monitoring
+
+Firebase Console > Firestore > Rules > Monitor
+- [ ] Review denied requests regularly
+- [ ] Set up alerts for unusual patterns
+
+---
+
+## Quick Security Audit Commands
+
+### Check for exposed Firebase configs
+
+```bash
+# Search for Firebase config in your codebase
+grep -r "firebaseConfig" --include="*.js" --include="*.ts" .
+grep -r "apiKey.*firebase" --include="*.js" --include="*.ts" .
+```
+
+### Test your security rules
+
+```bash
+# Install Firebase Emulator
+npm install -g firebase-tools
+
+# Run security rules tests
+firebase emulators:start --only firestore
+# Then run your test suite against localhost
+```
+
+### Scan for secrets
+
+```bash
+npx ship-safe scan .
+```
+
+---
+
+## Testing Checklist
+
+Before launch, test these scenarios:
+
+1. [ ] Unauthenticated user cannot read private data
+2. [ ] User A cannot read User B's private data
+3. [ ] User cannot write to another user's document
+4. [ ] File uploads are rejected if wrong type
+5. [ ] Large file uploads are rejected
+6. [ ] Rate limiting works (if implemented)
+
+---
+
+## Firebase Security Resources
+
+- [Firebase Security Rules Documentation](https://firebase.google.com/docs/rules)
+- [Firebase Security Checklist](https://firebase.google.com/support/guides/security-checklist)
+- [Firebase App Check](https://firebase.google.com/docs/app-check)
+
+---
+
+**Remember: Firebase makes it easy to build fast, but "test mode" is not a security strategy.**
+
+Run `npx ship-safe scan .` to check for leaked keys before every deploy.

package/configs/firebase/storage-rules.txt

@@ -0,0 +1,206 @@
+// =============================================================================
+// FIREBASE STORAGE SECURITY RULES TEMPLATES
+// =============================================================================
+//
+// Copy these rules to your Firebase Console > Storage > Rules
+//
+// WHY THIS MATTERS:
+// - Default rules may allow anyone to upload/download files
+// - Uploaded files can contain malware or illegal content
+// - Storage costs can explode if not properly secured
+//
+// HOW TO USE:
+// 1. Go to Firebase Console > Storage > Rules
+// 2. Replace the default rules with these templates
+// 3. Customize paths and limits for your app
+// 4. Publish and test thoroughly
+//
+// =============================================================================
+
+rules_version = '2';
+service firebase.storage {
+  match /b/{bucket}/o {
+
+    // =========================================================================
+    // HELPER FUNCTIONS
+    // =========================================================================
+
+    // Check if user is authenticated
+    function isAuthenticated() {
+      return request.auth != null;
+    }
+
+    // Get the authenticated user's ID
+    function userId() {
+      return request.auth.uid;
+    }
+
+    // Check file size (in bytes)
+    function isUnderMaxSize(maxSizeMB) {
+      return request.resource.size < maxSizeMB * 1024 * 1024;
+    }
+
+    // Check if file is an image
+    function isImage() {
+      return request.resource.contentType.matches('image/.*');
+    }
+
+    // Check if file is a specific image type
+    function isImageType(types) {
+      return request.resource.contentType in types;
+    }
+
+    // Check if file is a document
+    function isDocument() {
+      return request.resource.contentType in [
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+      ];
+    }
+
+    // =========================================================================
+    // PATTERN 1: USER AVATARS (User's own files)
+    // =========================================================================
+
+    match /avatars/{userId}/{fileName} {
+      // Anyone can view avatars (they're public profile pictures)
+      allow read: if true;
+
+      // Users can only upload to their own folder
+      allow write: if isAuthenticated()
+        && request.auth.uid == userId
+        && isImage()
+        && isUnderMaxSize(2)  // 2MB max
+        && isImageType(['image/jpeg', 'image/png', 'image/webp']);
+    }
+
+    // =========================================================================
+    // PATTERN 2: PRIVATE USER FILES
+    // =========================================================================
+
+    match /users/{userId}/private/{allPaths=**} {
+      // Users can only access their own private files
+      allow read: if isAuthenticated() && request.auth.uid == userId;
+
+      // Users can upload to their own folder with size limits
+      allow write: if isAuthenticated()
+        && request.auth.uid == userId
+        && isUnderMaxSize(10);  // 10MB max
+
+      // Users can delete their own files
+      allow delete: if isAuthenticated() && request.auth.uid == userId;
+    }
+
+    // =========================================================================
+    // PATTERN 3: SHARED/PUBLIC FILES (Authenticated upload, public read)
+    // =========================================================================
+
+    match /public/{allPaths=**} {
+      // Anyone can read public files
+      allow read: if true;
+
+      // Only authenticated users can upload
+      allow write: if isAuthenticated()
+        && isUnderMaxSize(5)
+        && (isImage() || isDocument());
+
+      // Only admins can delete (implement admin check via custom claims)
+      allow delete: if request.auth.token.admin == true;
+    }
+
+    // =========================================================================
+    // PATTERN 4: ORGANIZATION FILES
+    // =========================================================================
+
+    match /organizations/{orgId}/{allPaths=**} {
+      // Check org membership via custom claims
+      function isOrgMember() {
+        return request.auth.token.orgId == orgId;
+      }
+
+      function isOrgAdmin() {
+        return request.auth.token.orgId == orgId
+          && request.auth.token.orgRole == 'admin';
+      }
+
+      // Org members can read
+      allow read: if isAuthenticated() && isOrgMember();
+
+      // Org members can upload
+      allow create: if isAuthenticated()
+        && isOrgMember()
+        && isUnderMaxSize(50);  // 50MB for org files
+
+      // Org admins can delete
+      allow delete: if isAuthenticated() && isOrgAdmin();
+    }
+
+    // =========================================================================
+    // PATTERN 5: TEMPORARY UPLOADS (with expiration)
+    // =========================================================================
+
+    match /temp/{uploadId} {
+      // Anyone authenticated can upload to temp
+      allow create: if isAuthenticated()
+        && isUnderMaxSize(10)
+        // Set metadata for cleanup jobs
+        && request.resource.metadata.uploadedBy == userId()
+        && request.resource.metadata.expiresAt != null;
+
+      // Only the uploader can read/delete their temp files
+      allow read, delete: if isAuthenticated()
+        && resource.metadata.uploadedBy == userId();
+    }
+
+    // =========================================================================
+    // PATTERN 6: STRICT IMAGE UPLOADS (Profile pictures, etc.)
+    // =========================================================================
+
+    match /images/{imageId} {
+      // Public read
+      allow read: if true;
+
+      // Strict upload requirements
+      allow create: if isAuthenticated()
+        // Must be an allowed image type
+        && isImageType(['image/jpeg', 'image/png', 'image/gif', 'image/webp'])
+        // Max 5MB
+        && isUnderMaxSize(5)
+        // Must have dimensions metadata (set by client)
+        && request.resource.metadata.width != null
+        && request.resource.metadata.height != null
+        // Reasonable dimensions (prevent huge images)
+        && int(request.resource.metadata.width) <= 4096
+        && int(request.resource.metadata.height) <= 4096;
+    }
+
+    // =========================================================================
+    // ANTI-PATTERNS: NEVER DO THIS
+    // =========================================================================
+
+    // BAD: Allows anyone to read/write everything
+    // match /{allPaths=**} {
+    //   allow read, write: if true;
+    // }
+
+    // BAD: No file type validation (allows malware uploads)
+    // match /uploads/{file} {
+    //   allow write: if request.auth != null;
+    // }
+
+    // BAD: No size limits (allows storage cost attacks)
+    // match /files/{file} {
+    //   allow write: if request.auth != null;
+    // }
+
+    // =========================================================================
+    // DEFAULT: DENY ALL (Safety net)
+    // =========================================================================
+
+    // Deny access to any path not explicitly defined above
+    match /{allPaths=**} {
+      allow read, write: if false;
+    }
+  }
+}