How to Make Secure Cloud Firestore Security Rules

0
votes

so I'm trying to figure out how cloud firestore rules work and made a simple app to learn how to write secure rules. the app basically show news to all users and allows users to share suggestions to admin without getting user authentication (no sign up required). so I thought if I used allow write: if true; for the document that contains users suggestions, that it will be secure, but I'm receiving warning from firebase that my firestore cloud rules are not secure. so I thought it's not secure cause maybe anyone can rewrite/delete the whole data in users_suggestion document. I still need to achieve secure rules without getting user's authentication, if you know how please help

this is how the rules look like:

service cloud.firestore {
  match /databases/{database}/documents {
    
    match /users_suggestion/{documents}{
    allow read: if request.auth != null
    allow write: if true;
    }
    match /news/{documents}{
    allow read;
    allow write: if request.auth != null
    }
  }
}

the collections are: users_suggestion and news

1
firebasegoogle-cloud-firestorefirebase-security
security rules varies with respective to the applications. In this rule for /users_suggestion/{documents} authenticated users has been allowed for read, then write is higher level action and for that too the user should get authenticated.Muthu Thavamani
hope you referred this nice firebase doc - firebase.google.com/docs/firestore/security/rules-structureMuthu Thavamani
@MuthuThavamani is it possible to allow limited write like for only one document or field without authentication?Fathi Draws
@MuthuThavamani i just finished reading the docs you shared it's very useful, seems not possible to have secure rules and allow write without authenticating. thank you for your helpFathi Draws
Glad, you got an idea over the rules. updated few more in my answer!Muthu Thavamani

1 Answers

0
votes

The security rules varies with respective to the applications.

In your rule for /users_suggestion/{documents} authenticated users has been allowed for read, then write is higher level action and for that too the user should get authenticated.

Firebase provides very flexible Security Rules to secure the data in Cloud Firestore, Realtime Database, and Cloud Storage.

Other than checking only for user authentication, you shall provide narrow access using security conditions.

  • Role-based access
  • Attribute-based access
  • Mixed public and private access

References:

  1. https://firebase.google.com/docs/firestore/security/rules-structure
  2. https://firebase.google.com/docs/rules/basics