Cloud Firestore: setting security rule based on authentication

3
votes

I would like to understand how secure it is a security rule based on authentication, like this:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

I have collections where each document is relative to a specific user.

I am using Cloud Firestore only from mobile, both Android and iOS, not from web.

Is there any way for a user to get authenticated outside my mobile apps, and hence going to read or write some other user's documents?

1
firebase-authenticationfirebase-securitygoogle-cloud-firestore

1 Answers

8
votes

If you want to make sure that users cannot read each other's information, you should implement stronger rules than auth != null.

For example, these rules make it so you can only read and write the data at /users/userId if you are authenticated as userId.

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      // Anybody can write to their ouser doc
      allow read, write: if request.auth.uid == userId;
    }
  }
}

This will make it impossible for someone to "get authenticated outside my mobile apps, and hence going to read or write some other user's documents" as you mentioned.