CODEWITHSUNDEEP
firebasegoogle-cloud-firestorefirebase-security
MauriceNino
MauriceNino

Reputation: 6757

Can you send data with a firestore read request?

I want to give not signed-in users the option to view their data via a token they get sent, that expires after some time.

The token creation and sending part is done and now I see two options: do everything in a function OR use a firestore rule. Rules would be better though, as a direct database read is faster.

For example, I have a user collection with users looking like this:

{
   name: 'test',
   token: '1234',
   expiresAt: <someTimeInFuture>
}

and my rules would look like this: 

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow get: request.auth.uid == userId;
      allow update: request.auth.uid == userId;

      allow list: if false; 
      allow create, delete: if false;

    }
  }
}

Is there any way to extend the get rule so that users who send that token in their read request can view the data. Or better said: can I send the token with my read request, so that I can view it in the rule?

Keep in mind that a custom claim is not an option, as the user is not signed in.

Upvotes: 1

Views: 130

Answers (1)

Doug Stevenson
Doug Stevenson

Reputation: 317497

Security rules do not support the idea that a client can simply send custom data in a request for validation. That's not actually "secure" at all. It's like asking someone to provide a password that could be shared anywhere on the internet. You will need a backend endpoint to do this, but bear in mind that it will also have the same security issue.

Upvotes: 1

Related Questions