No visible Firebase Auth — Firestore rules are sole access control

## Severity: MODERATE

## Affected Files
- Throughout codebase (no Firebase Auth sign-in anywhere)

## Problem

There is no user authentication visible in the codebase. Security relies entirely on:
- Firestore security rules (which are gitignored and not auditable by users)
- Knowledge of the `pairingId` to query relevant documents
- AES-GCM encryption of content

If the Firestore rules are permissive, anyone who discovers a `pairingId` could read encrypted clipboard data (though they couldn't decrypt it without the key). Without auth, there's no way to enforce per-user access controls at the database level.

## Recommendation

1. **Add anonymous Firebase Auth** at minimum for the default hosted backend — this gives each device a UID that Firestore rules can enforce
2. **Allow users to bring their own Firebase project** — let users provide their own `google-services.json` (Android) / `GoogleService-Info.plist` (macOS) with their own auth configuration. This gives security-conscious users full control over their backend, auth rules, and data residency
3. **Publish Firestore rules** — consider committing a reference copy of the Firestore security rules so users can audit the access controls

> [!Note]
> Responses generated with Claude

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

No visible Firebase Auth — Firestore rules are sole access control #10

Severity: MODERATE

Affected Files

Problem

Recommendation

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

No visible Firebase Auth — Firestore rules are sole access control #10

Description

Severity: MODERATE

Affected Files

Problem

Recommendation

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions