Firestore - How to setup security rule without Auth, but based on Android client/request data

Question

In my case, Firestore database looks like below, where each Android client will have one document mapped to his/her device Document_sdfljkhsdio ( specific to Android User 1 )

FireStoreCollection
     Document_sdfljkhsdio  ( specific to Android User 1 ) 
            Collection_xyz 
                  Document_xyz                      
     Document_kjjkssefd  ( specific to Android User 2 ) 
            Collection_xyz 
                  Document_xyz                      
     Document_sqdfwdfsme  ( specific to Android User 3 ) 
            Collection_xyz 
                  Document_xyz  

I am not implementing Google Auth, but instead want to send document name Document_sdfljkhsdio as request data and match it with some rules at Firebase Console

service cloud.firestore {
  match /databases/{database}/documents {
    match /document/{document_sent_from_client}/ {
      allow read, write: if request.document_sent_from_client == document_sent_from_client;
    }
  }
} 

Am not sure if it is possible to send document name from Android device ,if yes, please suggest.

And also suggest if it is the correct approach, suggest if you have any better approach ?

Thanks for your help in advance.

Answer 1

Sounds totally feasible. To pass the document_sent_from_client from an Android client, just build a DocumentReference with a path to /document/document_sent_from_client. Modified from the documentation:

DocumentReference docRef = db.collection("document").document("document_sent_from_client");
docRef.get().addOnCompleteListener(new OnCompleteListener<DocumentSnapshot>() {
    @Override
    public void onComplete(@NonNull Task<DocumentSnapshot> task) {
        if (task.isSuccessful()) {
            DocumentSnapshot document = task.getResult();
            if (document != null) {
                Log.d(TAG, "DocumentSnapshot data: " + task.getResult().getData());
            } else {
                Log.d(TAG, "No such document");
            }
        } else {
            Log.d(TAG, "get failed with ", task.getException());
        }
    }
});

But the security rules don't help here: if the client requests an existing document (i.e. if they know the path to a document), they will get a result. If they request a non-existing document (i.e. if they don't know the path to a document), the task will fail.

You're essentially depending on the key in document_sent_from_client to be reasonably unguessable. Such "security by obscurity" is fairly common in the absence of an authenticated user.