Reputation: 166
Firestore security rules: allow access to one specific user
I have a production and a sandbox Firestore databases and a common firestore.rules file.
I want only one user per database to be allowed to read and write.
I've currently using this configuration for the security rules
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isAdmin(uid) {
return uid == "IKHXrLmfIFZvrimpJUwnfUzTUoE2"
|| uid == "xVTByGu49XX3rOdNYMKf2Bzt5bY2";
}
match /{document=**} {
allow read, write: if isAdmin(request.auth.uid)
}
}
}
The first uid is the demo user (which exists only in the sandbox firebase project) and the second one is the admin user of the production database (which exists only in the production project)
Details:
- The codebase is open
- The sandbox database has public api key and demo user credentials (free plan).
- The production database is private, api key and admin credential are protected.
I am aware that publishing the sandbox API key is not the best, but it's not an important database.
The important thing is that the production database remains safe.
Are there any security issues using this method? If yes, how can I protect the production database?
Upvotes: 4
Views: 1607
Answers (1)
Reputation: 600110
I use this approach all the time when I first start on a project. I create an initial (anonymous) user, and give that one extensive permission in the security rules.
Since you'd need the project's service credentials to be able to set the same UID at will on my project, this approach is secure and allows me to get started quickly.
Then when I'm ready for a more extensive security system I extend the security model, typically on one of these:
- By allowing all users from a specific domain administrative access.
- By creating a list of admin UIDs in the database, and checking that in my rules.
- By adding a custom claim
isAdminto the user's token, and check that in the security rules.
But even at that point, I tend to leave the hard-coded UIDs in place, as they are no security risk.
Upvotes: 2
Related Questions
- Firestore: userId rule
- How to use Firestore Security Rules to let users only access their own resources
- Firestore Security Rules for specific user that was added in the Firebase console directly
- Firebase (Firestore) security rules, limit access to object for specific users
- Setup Firestore User Security Rule
- Firestore security rules allow user access to their data
- Firestore write security rule for specific user using auth names
- Cloud Firestore: setting security rule based on authentication
- Firestore Database Rules for User
- Configuring rules for Firestore so user only gets records they own