Reputation: 5577
Android Firestore rules custom auth
We are using in out app Google sign in but also have function to "skip authentication"
For authenticated user we have the following rule
function isSignedIn() {
return request.auth != null;
}
For "skip authentication" we are not using anonymous Firebase login, using kind of local caching mechanism.
The question is the a way to add rule for "skipped users" with some hardcored obfuscated token?
Upvotes: 0
Views: 32
Answers (1)
Reputation: 317392
It's not possible to send extra information along with a query in order to authorize the query using security rules. This is not secure, as anyone would be able to bypass the rules simply by knowing the "password" in this case. All identity-based authorization must go through a Firebase Authentication user account - there are currently no alternatives.
Upvotes: 1
Related Questions
- Define the right Firestore Security Rules
- Firestore Database Rules for Authenticated User Email
- Firestore Rules For Admin
- Firestore rules for creating a user
- Firestore security rules in auth less apps
- Setup Firestore User Security Rule
- Cloud Firestore: setting security rule based on authentication
- Custom security rules for Cloud Firestore
- firestore auth rule: for google signed in client
- Firestore - How to setup security rule without Auth, but based on Android client/request data