Reputation: 1722
Security in firebase/firestore
In a project I'm currently working on I'm using cloud FireStore and underlying DB.
I need my client (iOS and Android) to be able to read (no wrtie access at all) documents from cloud FireStore regardless of the user is logged in or not (actually not going to use firebase auth at all).
I do not want anyone to be able to access the data from outside the apps (thru the REST endpoints for example). I guess what I need is to bake in some sort of API-key into the app that grants the access, but I do not see how I can do this, can anyone guide me in the right direction?
Upvotes: 3
Views: 726
Answers (1)
Reputation: 1651
I know you say you don't want to use Firebase Auth, but I think signing in anonymously is the way to go. This will allow them to receive a uid without signing up/logging in so you can validate them in your Firebase/Firestore security rules. The web version looks something like this, but its implemented for Android/IOS as well. This code is taken directly from here.
firebase.auth().signInAnonymously().catch(function(error) {
// Handle Errors here.
var errorCode = error.code;
var errorMessage = error.message;
// ...
});
firebase.auth().onAuthStateChanged(function(user) {
if (user) {
// User is signed in.
var isAnonymous = user.isAnonymous;
var uid = user.uid;
// ...
} else {
// User is signed out.
// ...
}
// ...
});
Upvotes: 1
Related Questions
- Firebase allow users to access with a secret key
- Custom Rest API And Firestore Database
- How to secure Firestore database
- How secure is Firestore if you let anyone read the data, but not write
- Using Firebase Cloud Firestore with custom Authentication Security (without Firebase Authentication)
- Firebase Cloud Firestore REST api authentication with only WEB API key?
- Firestore security rules and Api Key
- REST API Firestore authentication with ID Token
- Cloud Firestore with Authentication
- Firestore: prevent abuse from public apiKey