
Re: Securing Databases
It's not that it's hard to write the rules. You can parameterise the paths, access those variables directly and compare them to claims in the JWT token* easily. It's possibly to write granular roles easily. I put it down to a few reasons:
1. People who don't think "how can this be abused" it's even easier to write a rule that grants read (or even worse write access) to anyone who's authenticated, forgetting that you need to compare the uid, roles, scopes, etc.
2. People write lax rules during development for ease of use and forget to tighten them up.
3. Writing rules is boring and feels unproductive as you see no change in the front end
I'm currently writing an app that uses Firestore and the first thing I do is give my test user data realistic roles so I'm not tempted to be lazy. I give read access to those who need it and writes are done via a web API so I can validate data properly.
Also, a lot of the apps may be written by web developers who haven't had to consider that db security takes more thought than it looks.
*Calling the department of redundancy department.