CODEWITHSUNDEEP
fluttergoogle-cloud-firestorefirebase-security
CuriousCoder
CuriousCoder

Reputation: 262

Firestore Security Rules Without User Authentication

I have a simple cryptocurrency app that uses an API to fetch prices. I am using Firestore to store my API key and my app retrieves my API key from Firestore when launched. My API key is the only data I have in my Firestore. Since my app doesn't allow users to create profiles/accounts, I don't include user authentication in my rules. My security rules for Firestore are:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /Data/{Data} {
      allow read: if true;
    }
  }
}

Are there better security rules to improve security or are these rules good enough?

EDIT

The file 'url-builder.dart' below is how I am retrieving my API key from Firestore. I then slot my API key into my URL at the end.

import 'package:cloud_firestore/cloud_firestore.dart';

class URLBuilder {
  URLBuilder(this.cryptoCurrency, this.currency, this.periodValue);

  String cryptoCurrency;
  String currency;
  String periodValue;

  String _pricesAndTimesURL;
  String get pricesAndTimesURL => _pricesAndTimesURL;

  Future<String> getApiKey() async {
    return FirebaseFirestore.instance
        .collection("Data")
        .doc("APIKeyDocument")
        .get()
        .then((value) {
      return value.data()["Key"];
    });
  }

  Future<void> buildURL() async {
    String apiKey = await getApiKey();
    _pricesAndTimesURL =
        'https:$urlStart/markets/kraken/$cryptoCurrency$currency/ohlc?periods=$periodValue&apikey=$apiKey';
  }
}

Upvotes: 0

Views: 221

Answers (1)

Frank van Puffelen
Frank van Puffelen

Reputation: 600061

For best security, consider your security rules part of your application logic, on the same level as your application code is. This means that your rules should only allow the exact usage that your application code needs.

Since you didn't share the relevant code, I'll make some assumptions and general recommendations below.

If your code does get() call on all documents in the Data collection, then your current rules are a good proxy for that. But if for examples, your code accesses only a single document in that collection, this would be the closer equivalent:

allow get: if true;

This means the code can get a single document, but it cannot get all documents in the collection.

If your code only accesses a specific document, you could tighten the rules even further to only allow them to read that document, and further product other documents you may have in the Data collection now - or add in the future.

Upvotes: 3

Related Questions