From b942e65bb72d681433a0fa69cf7ba0c35aa28f5d Mon Sep 17 00:00:00 2001
From: Marshall Polaris <marshall@pol.rs>
Date: Tue, 26 Apr 2022 00:22:49 -0700
Subject: [PATCH] Harden Firestore comment posting rule

This prevents people from posting comments with inauthentic
user information.
---
 firestore.rules | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/firestore.rules b/firestore.rules
index 88be0ed1..e11fd06f 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -45,9 +45,18 @@ service cloud.firestore {
       allow read;
     }
 
+    function commentMatchesUser(userId, comment) {
+      // it's a bad look if someone can impersonate other ids/names/avatars so check everything
+      let user = get(/databases/$(database)/documents/users/$(userId));
+      return comment.userId == userId
+        && comment.userName == user.name
+        && comment.userUsername == user.username
+        && comment.userAvatarUrl == user.avatarUrl
+    }
+
     match /{somePath=**}/comments/{commentId} {
       allow read;
-      allow create: if request.auth != null;
+      allow create: if request.auth != null && commentMatchesUser(request.resource.data, request.auth.uid);
     }
 
     match /{somePath=**}/answers/{answerId} {