Reputation: 29131
Your Cloud Firestore database has insecure: any user can read your entire database
Building an app, using Firestore database for its content.
Rules are:
service cloud.firestore {
match /databases/{database}/documents {
// Allow public read access, but only content owners can write
match /{document=**} {
allow read: if true
allow write: if request.auth.uid == request.resource.data.author_uid
}
}
}
As the warning says, I have allow read just set to true, which I understand, is a problem.
How do I make it so my Flutter app can read the contents of my Firestore database, but any random user can't? The app is public/free...etc, so I don't want people to have to login.
Do I give my app some kind of code and check against that? Or...?
Update: I see that there is anonymous login, which could solve the issue, but is that overkill? Does it actually help? Will it then keep my app from being used offline? ...etc
Upvotes: 1
Views: 2955
Answers (2)
Reputation: 599131
While you can nowadays limit abuse from non-authorized code with Firebase App Check, this is no guarantee. There is no guaranteed way to secure access based on it being your app, or your code. That's simply not how security works with cloud based services.
If you want to limit access to legitimate users of your app, you will have to sign those users in and somehow legitimize them.
What legitimate means here is up to you of course. Whether that is "they are signed in" (request.auth != null), or that they verified their email address so you can contact them (request.auth.token. email_verified == true), or one of the many other options, it's all possible.
Also see:
- Locking down Firebase DB access to specific apps (which includes many more links)
- How to make firebase storage only available to users of the app
- Restrict firebase access to a single android app without authentication (again with more links)
- How do I prevent un-authorized access to my Firebase Realtime Database? (probably the oldest answer on the topic)
Upvotes: 4
Reputation: 419
In the Rules Section of the Database, try to code them like, if the user is logged in then he will have access. Follow this link for more info.
Upvotes: 0
Related Questions
- FirebaseException ([cloud_firestore/permission-denied] The caller does not have permission to execute the specified operation
- Getting Unhandled Exception: [cloud_firestore/permission-denied]. I have checked everything was fine in firebase
- getting error in cloud firestore permission
- cloud_firestore/permission-denied The caller does not have permission to execute the specified operation
- cloud_firestore/permission-denied with flutter
- Your project's Cloud Firestore database '(default)' has insecure rules
- Exception has occurred. FirebaseException ([cloud_firestore/permission-denied]
- Unable to access cloud firestore in firebase due to permission issues
- Your Cloud Firestore database has insecure rules - flutter firebase db
- Flutter - Your Cloud Firestore database has insecure rules