Firebase- Your Cloud Firestore database has insecure rules, how to fix it?

2
votes

I use firebase rest API below to access my firestore database data

https://firestore.googleapis.com/v1/projects/testproject/databases/(default)/documents/Test/Employee?key=a29.ImCbB4CbV3CWoPouWsh24NrQ-3eKUmuK-dELilZGmPqqDlq4jJNWBmJ47MnJ1pBQSDPNqPeknqD4Usm9SIf6pmG-8sfK15QlkQR

to access my firestore database,I used my access token in the key portion but I receive email from firebase stated that "[Firebase] Your Cloud Firestore database has insecure rules". Only then I found out that anyone can access my database data even without a valid access token

So I tried to add some rule in the database as below and hoping that only a valid access token can access my database

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}

but after added the rule, I can no longer query my database with REST API even with the valid access token, the rest api return below error

{
  "error": {
    "code": 403,
    "message": "Missing or insufficient permissions.",
    "status": "PERMISSION_DENIED"
  }
}

Anyone know how should I edit the rule to make my database secure while still able access via REST API.

Thanks

2
firebasegoogle-cloud-firestorefirebase-security
You will need to call out individual collections and make sure that only the certain users who should be able to access them can actually access them. Since we don't know the security requirements of your app, there's no specific advice we can give. Please start with the documentation to understand how security rules work. firebase.google.com/docs/firestore/security/get-started - Doug Stevenson
I did read the documentation but could not find the info for the REST API security rule. According to the documentation, "Every database request from a Cloud Firestore mobile/web client library is evaluated against your security rules before reading or writing any data. If the rules deny access to any of the specified document paths, the entire request fails.", it's seem that the security rule only work for client library access. - PJS
I access my database using REST API with a access token as firestore.googleapis.com/v1/projects/sales/databases/(default)/… , but if I did not set any security rule, I can access the database even with a random token key. - PJS
here it mentions:"If you are using the server client libraries or the REST or RPC APIs, make sure to set up Cloud Identity and Access Management(IAM) for Cloud Firestore." So this means that the rules don't work with the REST API. Based on this the quick answer is: "It's not possible" but what you want to achieve and most probably with IAM you can achieve it. - Soni Sol
So you want public read and write access to your database via the REST API, but you also want it "secure"? That doesn't seem possible. Public, unauthenticated access is the opposite of secure. - Doug Stevenson

2 Answers

1
votes

I think I figured out what's wrong with the access token, I have to pass the token as bearer in the header instead of passing it as the key in the url.

1
votes

I found another way to accomplish what you asked without exposing the auth token. The solution I opted was to allow anonymous login in Firebase. Here you can see a more detailed explanation: https://stackoverflow.com/a/60426745/2636562