Menu
I would like to understand how secure it is a security rule based on authentication, like this:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
I have collections where each document is relative to a specific user.
I am using Cloud Firestore only from mobile, both Android and iOS, not from web.
Is there any way for a user to get authenticated outside my mobile apps, and hence going to read or write some other user's documents?
642
If you want to make sure that users cannot read each other's information, you should implement stronger rules than auth != null.
For example, these rules make it so you can only read and write the data at /users/userId if you are authenticated as userId.
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
// Anybody can write to their ouser doc
allow read, write: if request.auth.uid == userId;
}
}
}
This will make it impossible for someone to "get authenticated outside my mobile apps, and hence going to read or write some other user's documents" as you mentioned.
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
