Identification Failures in Axum with Firestore
Identification Failures in Axum with Firestore — how this specific combination creates or exposes the vulnerability
An Identification Failure occurs when an API fails to reliably distinguish between actors and their intended actions, often allowing one user to access or modify another user’s data. In an Axum service that uses Google Cloud Firestore as the backend persistence layer, this typically manifests when identifiers such as user IDs or resource keys are derived from untrusted input or are inconsistently enforced across data access paths.
Firestore’s model of namespaced documents and collections can inadvertently support insecure direct object references when the application constructs document references from user-controlled IDs without verifying authorization. For example, if an endpoint accepts a user_id from a request and directly uses it to build a Firestore path like users/{user_id}/profile, an attacker can substitute another user’s ID and read or write that document if the server does not independently validate that the authenticated subject is permitted to access that specific document.
The Axum framework itself does not enforce any authorization; it relies on the application to implement checks. When developers couple Axum’s routing and extractor patterns with Firestore’s flexible document model, they must explicitly enforce ownership and tenant boundaries. Without these checks, the combination of a permissive Firestore security ruleset (or overly permissive server-side SDK usage) and missing ownership validation in Axum handlers results in Insecure Direct Object Reference (IDOR) and related Identification Failures.
Consider a handler that retrieves an audit log entry by ID:
async fn get_audit_entry(
Extension(db): Extension,
Path(entry_id): Path,
) -> Result, (StatusCode, String)> {
let doc_ref = db.collection("audit_logs").doc(&entry_id);
let snapshot = doc_ref.get().await.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
if let Some(value) = snapshot.get() {
serde_json::from_value(value).map(Json).map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))
} else {
Err((StatusCode::NOT_FOUND, "Entry not found".into()))
}
}
If entry_id is user-supplied and the function does not verify that the authenticated subject has permission to view this specific log entry (for example, by checking that the entry belongs to the user’s organization or tenant), the handler exposes an Identification Failure. An attacker who iterates over known IDs can enumerate sensitive audit records.
Similarly, when Firestore is used for multi-tenant data, missing tenant ID validation in Axum extractors leads to cross-tenant data leakage. For instance, if a Firestore document path includes a tenant segment (e.g., tenants/{tenant_id}/users/{user_id}) but the server-side code only uses user_id from the request without confirming that the tenant matches the authenticated user’s tenant, attackers can pivot across tenants by altering the tenant identifier in the request.
Insecure direct object references in this context also intersect with BOLA (Broken Level Authorization) and BFLA (Broken Function Level Authorization). A BOLA scenario arises when a user can access another user’s resource by guessing or iterating IDs. A BFLA scenario may occur when a user invokes a generalized “update profile” function that under some conditions modifies administrative fields because the handler does not verify the scope of the update.
Firestore-Specific Remediation in Axum — concrete code fixes
Remediation centers on enforcing authorization checks before constructing Firestore references and ensuring that every document access validates the relationship between the authenticated subject and the target resource. Below are concrete Axum patterns and Firestore SDK usage examples that address Identification Failures.
1. Validate ownership with Firestore lookups
Before reading or writing a document, fetch a minimal authoritative mapping (such as a user-to-ownable resource index) to confirm ownership. Avoid using client-provided IDs alone to form paths.
async fn get_user_profile(
Extension(db): Extension,
Extension(auth): Extension,
Path(user_id): Path,
) -> Result, (StatusCode, String)> {
// Ensure the requested user_id matches the authenticated subject
if auth.subject.user_id != user_id {
return Err((StatusCode::FORBIDDEN, "Access denied".into()));
}
let doc_ref = db.collection("users").doc(&user_id);
let snapshot = doc_ref.get().await.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
if !snapshot.exists() {
return Err((StatusCode::NOT_FOUND, "Profile not found".into()));
}
serde_json::from_value(snapshot.get().unwrap().clone())
.map(Json)
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))
}
2. Enforce tenant scoping for multi-tenant data
Include the tenant identifier in both the Firestore path and the authorization check, ensuring that a user can only access resources under their tenant.
async fn list_tenant_users(
Extension(db): Extension,
Extension(auth): Extension,
) -> Result>, (StatusCode, String)> {
let tenant_id = &auth.subject.tenant_id;
let users_ref = db.collection("tenants").doc(tenant_id).collection("users");
let snapshot = users_ref.get().await.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
let users: Result, _> = snapshot.iter()
.map(|doc| serde_json::from_value(doc.get().clone()).map_err(|e| e.into()))
.collect();
Ok(Json(users.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?))
}
3. Use Firestore security rules as a safety net, not the primary control
Server-side checks remain essential because rules may be misconfigured or bypassed by privileged service accounts. Treat rules as a last line of defense and always enforce authorization in application code. Example rule snippet (not a substitute for server checks):
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
}
4. Apply consistent input validation and canonical resource identifiers
Normalize IDs to prevent path confusion (e.g., leading/trailing spaces or case differences). Use Firestore’s built-in document IDs when possible, or map opaque tokens to document references via a trusted index collection.
async fn safe_update(
Extension(db): Extension,
Extension(auth): Extension,
Path(canonical_id): Path,
body: Json,
) -> Result {
let doc_ref = db.collection("entities").doc(canonical_id.to_string());
// Confirm ownership via an index or embedded tenant/user field
let doc = doc_ref.get().await.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
if doc.get::("tenant_id") != Some(&auth.subject.tenant_id) {
return Err((StatusCode::FORBIDDEN, "Cross-tenant access not allowed".into()));
}
// Proceed with update
doc_ref.set(serde_json::to_value(body.into_inner()).unwrap()).await
.map(|_| StatusCode::OK)
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))
}
middleBrick and related tooling
You can use the middleBrick CLI to scan an Axum + Firestore API for Identification Failures and related issues without installing agents or providing credentials: middlebrick scan <url>. The CLI outputs JSON or text findings, including severity and remediation guidance. For teams, the Pro plan adds continuous monitoring and CI/CD integration, while the GitHub Action can fail builds when risk scores drop below your configured threshold.
If you use AI coding assistants in your development workflow, the MCP Server enables scanning APIs directly from the IDE, surfacing potential Identification Failures as you write handlers.