Algolia + Firestore: Security Rules

Question

I'm planning to add Algolia search to a React app I'm working on. The data is stored in Cloud Firestore. I've already set up the sync between Algolia and Firestore using the extension by Algolia and I've tested the instant search and it works great.

However, it occurred to me that the security rules I've very meticulously set up for different user roles in Firestore will be completely ignored when returning data from an Algolia Search.

I was recommended to follow these instructions to implement User Restrictions on data. But now all my work in getting my Firestore security rules set up exactly the way I want it needs to be repeated, with seemingly great effort. It also means whenever I change the security rules I'll have to change the Algolia restrictions. Just for search.

Has anyone found an easier way to implement search-like querying Firestore while maintaining their security rules?

Answer 1

Since you store the information in two places with an API that can be called from the public internet, you will need to protect access to that information in both places separately.

The first alternative I can think of is to use a common access point for the data in both places (like with Cloud Functions), and then disable the APIs that allow direct access from the clients.

As OP pointed out in the comments, there's a relatively convenient way to share the user identity between Firebase and Algolia documented in the section on adding security to the Algolia integration.