Reputation: 582
How to secure Firestore database
I have a CRUD application (No login/signup application), data stored in firestore database, It is just a Angular application which connects firestore db. My firestore security rules are allow read, write true, So that I can access my firestore db.
This is the format of actual firebase configuration
{
apiKey: "xxxx",
authDomain: "xxxx-fi.firebaseapp.com",
databaseURL: "https://xxx-fi.firebaseio.com",
projectId: "xx-fi",
storageBucket: "xx-fi.appspot.com",
messagingSenderId: "xxx",
appId: "1:xxx:web:36344b5bddd03c3bcef663"
}
I have found that firebase is enough to know projectId and not to send full above configuration.
{
projectId: "xxxx-fi"
}
Just by using above projectId I could read and write in my firestore db. I felt this is security risk, if someone knows my projectId, for them, it is easy to read/write in my db.
So, In order to move my application to production level, How to secure my firestore db?
Note: I have seen already people have posted for the same kind of issue in stackoverflow. but couldn't understand it clearly. Kindly share your solutions clearly. TIA
Upvotes: 1
Views: 295
Answers (1)
Reputation: 50930
The project ID is required so the Firebase SDK will know where to read/write data from/to. Yes, anyone with that project ID can communicate with your Firebase project and that's where Firebase Security Rules come in.
allow read, write: if true will allow anyone to read and write to your database.
allow read: if true;
allow write: if false;
These rules will allow anyone to read but no one to write to the database. Now if you want to write to database you would have to do so directly from the Firebase console.
Other option would be using Firebase Auth and creating and account for yourself only. Then you can write the following rule:
allow write: if request.auth.uid === "yourFirebaseUID";
This will allow only your account to write to database.
If you want to allow multiple usres to write to your database then you can use Firebase Custom Claims which are kind of like roles on Discord. You can then check for the claim like this:
allow write: if request.auth.token.writerClaim == true;
Can you specify what kind of rules you are looking for? I maybe able to help you write rules that way or suggest any workarounds.
Upvotes: 2
Related Questions
- How do I achieve this security logic in Firebase FireStore?
- Firebase / Firestore how to store user data
- How can I secure my Firestore database agains unwanted access?
- Best practices to secure Firestore database against admin-keys weak point
- Security of Firestore Database - SwiftUI
- Firestore Security Rules for this scenario
- Protect Firestore database from attack
- Firebase - Firestore, web server access only
- Restricting access to Firebase Firestore and Storage
- Securing data for multiple users Firestore