Reputation: 173
Confused With Firestore Rules
I am building a simple desktop app which will require a serial key to unlock all the functions of the app.
I am using the Firestore Rest API to store the serial key when a user presses the Activate button which is wired up and working.
Question: My current rules for the database are set to allow read, write: which the app needs so it can write and read back from the database. I keep reading that this is Bad because anyone can sniff out the project ID and then mess with the database using the Curl method from a browser.
Based on my workflow, whats the best route to go down
Upvotes: 0
Views: 39
Answers (1)
Reputation: 3475
The reason it is bad is because any user can edit any record in your data store. A more secure solution would be to associate each record with a user identifier and only users add and edit records which contain their user identifier.
A way to do this is to use Firebase authentication but, if you already have something else in place to identify individuals, you could use that.
The key is to ensure users can't edit anyone else's records, only their own. I found this article quite useful to get my head around it: https://fireship.io/snippets/firestore-rules-recipes/.
Upvotes: 1
Related Questions
- Firestore Rules
- firestore security rules syntax for
- How to provide this Firestore Security Rule
- Cloud Firestore security rules not working
- Can't figure out how to write proper security rules in firebase
- Cloud Firestore rules proper syntax
- problems with firestore security rules
- Firestore rules for permission
- Firestore security rule not working
- How to setup Firestore security rules correctly