how can i restrict access to firestore database to only requests coming from specific domain?

Question

there is a security rule that can restrict access to only specific users here: restrict access to specific users

Frank's answer there was really helpful and straight forward, but what if i am not using firestore authentication ?!

all i want to achieve is to grant access to requests coming only from my domain...just the domain, without authentication...so no one can use postman for example to send GET or POST requests to my firestore database.

is there a way i can say something like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.origin.matches(/<https://myCompany.com>/);
    }
  }
}

any help would be much appreciated.

Answer 1

In october '22, App Check seems to be a functional solution for this use case.

Answer 2

There is no way to restrict to requests coming from a specific domain, and that would actually also be really easy to spoof. Something like Firebase App Check would help there, but that's not yet available for Firestore (yet).

The common way to limit who can access the database is to:

1. Require the user to sign in to Firebase Authentication
2. Require that they verify their email address.
3. Validate the email address of request.auth.token.email in the security rules.

Also see:

• Restricting Cloud Firestore to a specific domain (which I probably would've marked your question as a duplicate of, if I'd seen it before)
• Restrict Firestore sign in to specific domain