CODEWITHSUNDEEP
firebasegoogle-cloud-firestorefirebase-security
Sky
Sky

Reputation: 4370

Firestore Security Rule: Check user input on get query

I'm creating a blog with Firestore. I have two collections called users and blogPosts. Each document in blogPosts contains name, createdAt, createdBy and password (plain string) field.

I want to create a security rule so clients can access a document only if they provide the correct document password.

According to an idea in this link, I wrote a rule like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /blogPosts/{postUid} {
        allow write: if 
            request.resource.data.createdBy == request.auth.uid &&
            request.resource.data.name is string &&
            request.resource.data.name.size() > 2 &&
            request.resource.data.name.size() < 32 &&
            request.resource.data.password is string &&
            request.resource.data.password.size() > 5 &&
            request.resource.data.password.size() < 32
      
        allow read: if 
            request.auth != null &&
            request.resource.data.password == resource.data.password // <---- THIS LINE IS NOT WORKING
    }
  }
}

I get this error in playground with the rule above: Error: simulator.rules line [16], column [8]. Property resource is undefined on object. So it means we don't have resource.data on read queries.

How can I achieve my goal with Firebase security rules, so only clients that has blogPosts password can access to documents?

Upvotes: 0

Views: 207

Answers (1)

Doug Stevenson
Doug Stevenson

Reputation: 317948

What you're trying to do isn't possible with security rules (and also isn't really "secure" at all). A client app can't simply pass along some password in a query. The only time input is checked is for document fields in a write operation, not document reads.

If you want to check a password, you will have to make some sort of API endpoint and require that the caller provide the password to that endpoint. Again, bear in mind that this is only as secure as your ability to keep that password a secret, because once it becomes known (perhaps by simply reverse engineering your app), anyone will be able to use it.

Upvotes: 1

Related Questions