CODEWITHSUNDEEP
firebasegoogle-cloud-firestorefirebase-security
Thibs
Thibs

Reputation: 8258

Firestore public collection rules

I have a web app that is basically a list of public items, non authenticated users can search the database and list the search results from the collection. Until I started getting daily emails from Firebase about "insecure rules in my Firestore database", I thought everything was OK, but now I am doubting them.

Here are my rules:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
     allow read: if true;
     allow write: if request.auth.uid !=null;
    }
  }
}

I am new to Firebase/Firestore and trying to understand:

1- The data is meant to be public but getting emails from Firebase, are these rules actually an issue?

2- Although the data is meant to be public, it would suck if someone would just drop by and download entire collection in one go. Thus, is possible to restrict public access a little by somehow preventing access to the collections/documents unless the request comes from the web app/domain? Maybe some form of token? Or some other approach?

Upvotes: 1

Views: 953

Answers (1)

Doug Stevenson
Doug Stevenson

Reputation: 317467

Right now, your rules allows public read access to all documents in your database, as well as write access to all documents to authenticated users. Firebase generally considers that insecure.

The global, recursive /{document=**} wildcard is kind of dangerous since it might apply to data that you didn't intend to be readable or writably. You should instead call out the specific names of the collections in individual rules. That way, if you create new collections, they will not be automatically included with the wildcard.

In general, your rules should be as specific as possible and not depend on a global recursive wildcard.

Upvotes: 3

Related Questions