Doubt about Security / Firebase Permission / iDOOR Vulnerability

If I enable FlutterFlow's integration with Firebase and Firestore, how does it operate behind the scenes?

When a FlutterFlow app has permission to query a Firestore collection, does this mean that the app can query any data within that collection, or are there safeguards in place to prevent unauthorized access to data?

How can we mitigate the risk of a potential security vulnerability, such as a scenario where one user could access another user's data (iDOOR vulnerability)?

My understanding is that one way to address this issue is using Cloud Functions and implementing a logic that validates the type of data a user can access.

To ensure the highest level of security and minimize vulnerability risks, is it possible to grant FlutterFlow only Firebase Authentication permissions? How? Keeping the [email protected] as editor and simply removing Firestore permissions suffice for this strategy?

5 replies