Reputation: 2084
Advice for Firebase Rules
I've modified my Firestore rules slightly to the following code below (requiring users to be authenticated in order to write). What other restrictions would you suggest making in order to secure a site?
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read;
allow write: if request.auth != null;
}
}
}
Upvotes: 0
Views: 26
Answers (1)
Reputation: 136
Sorry. I cannot comment at the moment, so all I can do is write an answer.
My experience is as follows.
Make sure you are only providing access to data based on needs.
So start with no access for anything and explicitly add access when it is needed. You will be told by any developers or work it out yourself when you need access and you can then add it for that collection. Doing this the opposite way round where everything is read or read by authenticated users will never identify when you have given too many permissions.
For instance, if a collection is used by a cloud function and nothing else then read access is not needed.
So explicitly add permissions by collection rather than for everything.
If read access is needed by users who are not authenticated, then add read but if it is only needed by authenticated users, then make it
allow read:if request.auth != null;
If a document should only be accessed by the current authenticated user, then restrict it by that user, not just all authenticated users.
allow read: if request.auth.uid == userId;
See firestore help on rules]1
In addition, rules can include data validation as well. This allows length checking, value checking etc. and can also allow limitations based on the operation beyond just read and write. For example
match /users/{userId} {
allow read, update, delete: if request.auth.uid == userId;
allow create: if request.auth.uid != null;
}
and
allow read: if resource.data.userType == 'reader';
There are some good videos on this subject such as this one
Video on firestore security rule use
Upvotes: 1