CODEWITHSUNDEEP
firebasegoogle-cloud-firestorefirebase-security
Neli
Neli

Reputation: 741

Firestore Read - Rule for Webapp

I'm using Firestore for the data of my webapp. Therefore read needs to be possible for everyone visiting my webapp.

Preferably I want to restrict read to the domain but I guess this is not possible. Therefore I just let it open for everyone. However Google reminds me every day that my firebase roles are insecure.

What is best practice to do that? do I need to use cloud functions as a middle layer?

This is my rule:

service cloud.firestore {
  match /databases/{database}/documents {
   match /{document=**} {
    allow read;
    allow write: if request.auth != null;
   }
 }
}

Upvotes: 0

Views: 160

Answers (1)

Doug Stevenson
Doug Stevenson

Reputation: 317760

What you have now is using a global wildcard to match all documents the entire database. The best practice is to call out each collection you want to provide access to. The global wildcard is risky because it's too easy to use it to accidentally allow access to everything unintentionally.

The first think you should do is remove the global wildcard completely. The next thing is to write specific rules for each collection where clients should have access. For example to give read-only access to "collection1":

   match /collection1/{id} {
    allow read;
   }

And to give read and write access only to signed in users:

   match /collection1/{id} {
    allow read, write: if request.auth != null;
   }

These rules are not necessarily going to make your app "secure". They are just starting points. You should assess the security requirements for your app and write specific rules that implement those requirements. Only you know your specific requirements. There are not really universal rules that can make any app secure.

Upvotes: 2

Related Questions