Menu
I have doubts about the security rules at Firestore.
My scenario is this: An Android application where users will only read data. They will not save, they will not modify anything. They are not going to register. It's just data reading.
I, for my part, need to write in that collection. I plan to do it via cURL using API KEY.
The rule that I am using is the following:
match /mycol/{document=**} {
allow read: if request.auth.uid != null; allow write: if true;
}
I want to prevent my collection from being accessed, for example by URL from anywhere:
https://firestore.googleapis.com/v1/projects/myproject/databases/(default)/documents/mydoc/mycol/
Avoiding for example that bots launch indiscriminate requests that would inflate my bill ...
I'm implementing the good rules for this case (only read from Android app without authentification and write via cURL using API KEY)?
510
You aren't really closing your collection, on the contrary, you are allowing anyone to write to it.
To allow only yourself to write to the collection there are several options. You can use the Admin SDK and write a small program that will only run from your machine.
The Admin SDK igores security, so you can remove the write part and it will only work for you.
match /mycol/{document=**} {
allow read: if request.auth.uid != null;
}
That's probably the easiest option and it's secure, as long as you keep your credentials safe and only do this in a trusted machine/network.
Another option would be creating a user for yourself and authenticating with that user. That can be a mobile app, web app or Node app for example. By doing that you can create a custom claim for your user, and only allow users with that claim to write, like this:
match /mycol/{document=**} {
allow read: if request.auth.uid != null; allow write: if request.auth.token.admin;
}
Then you could set the claims to the user like this (from Node):
await admin.auth().setCustomUserClaims("user_user_id", { admin: true });
Another option yet would be creating a Cloud Function to write to that collection. Cloud Functions use the Admin SDK, so security rules also don't apply unless you want them to by using the Javascript client SDK instead. Then in the Cloud Function you could validate your API key, and you would always call the URL of the Cloud Function instead of the database directly.
I would go with the first option so you can get yourself familiarized with the Admin SDK, and then if you need you can escalate to more structured solutions.
86
Since you're trying trying to read only and write only specific to some conditions.Try using this rules. Here inside the condition specify the api key if any:
service cloud.firestore {
match /databases/{database}/documents {
match /<some_path>/ {
allow read: if <some_condition>;
allow write: if <some_condition>;
}
}
}
To target your application only you should get your application token for that simply do this:
FirebaseInstanceId.getInstance().getInstanceId().addOnSuccessListener(this, instanceIdResult -> {
String newToken = instanceIdResult.getToken();
Log.e("newToken", newToken);
});
After running this code go to your log and then copy the token and then simply specify that token inside your condition for that try creating an auth id with your application token and then compare that auth id with your application token in your database rules
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
