This repo now includes a safer Firebase baseline:

• firestore.rules
• storage.rules
• firebase.json

firebase deploy --only firestore:rules,storage

• Users can read only their own users/{uid} document
• Users can create their own profile, but the effective role must remain user
• Professional intent is stored as requestedRole, not trusted authorization
• Users can only update safe self-owned fields such as alias
• Mood entries are owner-only
• posts, comments, and reactions are backend-only from the client side

• Only authenticated users can upload
• Uploads are restricted to posts/{uid}/...
• Only the authenticated owner can write/delete their own uploads
• Files must be jpeg/png/webp
• Files must be under 5 MB

• Replace the in-memory rate limiter with Redis or provider-side throttling
• Review Firebase Console configuration to ensure these rules are actually deployed
• Remove or rewrite any stale README snippets that still show permissive example rules

The backend now supports an allowlisted admin approval flow for professional roles.

Set this in backend/.env:

ADMIN_UIDS=uid_one,uid_two

Available endpoints:

• GET /api/users/admin/role-requests
• POST /api/users/admin/role-requests/{uid}/approve
• POST /api/users/admin/role-requests/{uid}/reject

Only UIDs listed in ADMIN_UIDS can use these endpoints.