Cloud Firestore ignores rules

0
votes

I'm using Google Cloud Platform Cloud Firestore database in my project. I started it in developer mode to model my data and filling it with records.

Now I'm ready to move to production, so I'm working on rules by using the Firebase console instead of the GCP one. But it seems to ignore every rule I insert. For example, if I write something like this

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false
    }
  }
}

Using the Rules Playground every read or create I try to submit fails as expected with the message: "Simulated read denied" (for example)

But if I'm calling a query from my node.js app, I can read, create, edit and delete everything, like the rules are ignored.

Rules monitor does not show any error.

Is this related to GCP Firestore? I assume they use the same plaftorm, in fact they often point to Firebase console for operation instead of the GCP console

1
node.jsfirebasegoogle-cloud-firestore
You might be using the Admin SDK in your nodejs app. The adminSDK can do everything and anything as it should only be run in a trusted environment, like a server.Nathan
Yes indeed I'm using Admin SDK. And yes, it is in a trusted server. I didnt know that it bypass the security rulesValerio

1 Answers

1
votes

The Admin SDK running off NodeJS can bypass any security rule and pretty much perform any action on all the Firebase Products.

With that, it should only be run in a trusted environment on a server that manages your app. It allows for more functionality and allows the server to perform actions you would not want clients performing (e.g. changing leader-boards). You can read more about the SDK and it's permissions here