I have a production and a sandbox Firestore databases and a common firestore.rules file.
I want only one user per database to be allowed to read and write.
I've currently using this configuration for the security rules
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isAdmin(uid) {
return uid == "IKHXrLmfIFZvrimpJUwnfUzTUoE2"
|| uid == "xVTByGu49XX3rOdNYMKf2Bzt5bY2";
}
match /{document=**} {
allow read, write: if isAdmin(request.auth.uid)
}
}
}
The first uid is the demo user (which exists only in the sandbox firebase project) and the second one is the admin user of the production database (which exists only in the production project)
Details:
- The codebase is open
- The sandbox database has public api key and demo user credentials (free plan).
- The production database is private, api key and admin credential are protected.
I am aware that publishing the sandbox API key is not the best, but it's not an important database.
The important thing is that the production database remains safe.
Are there any security issues using this method? If yes, how can I protect the production database?
