General Security Issue - Can my database be accessed from my source code using firestoreConnect (react-redux)?

Question

I am using firestoreConnect from react-redux library to get access to my firestore database and update my (redux)store if the database is changed. However, I noticed the piece of code used to retrieve the data also works when there's no user signed In and I am worried if somebody can open the sources in the browser and makes changes (highlighted in the code below) to the code under firestoreConnect to get access to sensitive database info.

Please tell me if I am thinking right, Very new to firebase and firestore. Help will be much appreciated.

useFirestoreConnect(() => [
        {
            collection: 'solus-lr' ,
            doc : "data-log",
            subcollections : [
                {
                    collection : "Wed, 02 Oct 2019" //make changes here
                }
            ]
        }
   ])

Answer 1

To be able to access your database from your app, you'll include a bunch of configuration data. This is necessary for the app to be able to find your project on the server(s). Anyone who has access to your app can copy this configuration data, and use the Firebase API to also access your project.

This is why Firebase include security rules, which are a declarative language that is automatically enforced on the server, and which determines what data can be accessed by whom.

By default your database is set to only allow reads/writes by an administrator. If your database allows reads/writes by anyone, it means you've set the security rules to allow that. Most likely you did that through the dialog in the Firebase console, which explicitly warns about the risk of making that change.

If your security rules allow read/write access by anyone, then indeed anyone with the configuration data of your project can access all data.

I highly recommend you check out the Firebase documentation on security rules, and Doug's video series on them.