Firebase Flutter : Cloud Firestore database has insecure rules

Question

Firebase keep telling me

We've detected the following issue(s) with your security rules: any user can read your entire database

I have changed the rules but that rules doesn’t work in my app because all user can read from db and only authenticate user can write to db.

Firebase says that write and read should be performed until we login. But in my case every user can read and only login user can write.

Any ideas how to solve this ? or I'm I doing it wrong ?

rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
  allow read;
  allow write: if request.auth != null;
  }
 }
} 

Answer 1

Can you set your read to false explicitly?

rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
  allow read: if false;
  allow write: if request.auth != null;
  }
 }
} 

That should do it. Let me know if it persists. The root cause is that even though you are allowing only authenticated users to read or write but they have access to the whole database as mentioned in the Google Cloud Firestore Documentation. That also means any authenticated user can write anything in your database.

If you database has a separate document for each user, I would suggest using the following rules which allows users to write/read their own data only.

rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
  allow read, write: if request.auth.uid === userId;
  }
 }
}