Restricting Cloud Firestore to a specific domain

Question

Is there a way to restrict Cloud Firestore (for hosting/web) to do CRUD operations with restrictions to one domain only, say xyz.com?

For example, the rule below locks read, update, delete without authorisation but you can still write things to the database.

service cloud.firestore {
  match /databases/{database}/documents {
    match /coming-soon-email-ids/{document=**} {
      allow write;
      allow read, update, delete: if request.auth.uid == !null;
    }
  }
}

Or do I have to integrate Google's firewall in it?

check this out https://blog.jimmycai.com/p/firebase-limit-access-to-certain-domains/. Not quite a domain restriction but for google's login you could restrict to a certain domain for G suit — TheBen, Jan 31 '19 at 06:01

Doug Stevenson · Accepted Answer · 2020-05-31T16:42:24.393

8

Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).

You can only really restrict access to users signed in to your app or site using Firebase Authentication, but you can't limit where they come from.

edited May 31 '20 at 16:42

answered Nov 22 '18 at 07:28

Doug Stevenson

297,357
32
422
441

Ok is there a way to restric to one or more fields? – Akshay Nov 23 '18 at 05:47
I don't know what you're asking. It sounds like the beginning of a whole new question that's unrelated to this one. – Doug Stevenson Nov 23 '18 at 05:55
If logged in via google (G suit for instance) I think we simply check for the email domain in the firestore rules – TheBen Jan 31 '19 at 05:59
Can't use the apiKey to build my own app that points to your firestore and then implement anonymous sign-on too though? – mesllo Nov 30 '21 at 17:11

score 4 · Answer 2 · answered Feb 03 '21 at 02:59

4

I had the same question, and I coming up with a solution. You can do sign In anonymously:

const signIn = async () => {
auth.signInAnonymously()
.then(() => {
  // Signed in..
})
.catch((error) => {
  var errorCode = error.code;
  var errorMessage = error.message;
  // ...
});

Then you can put your rules like:

allow read, write: if request.auth != null;

Then in authentication, you can activate the a anonymous method for sign in and add your authorized domains.

answered Feb 03 '21 at 02:59

kevin parra

336
4
11

1

Have you tested this? I tried authenticating anonymously from a non-listed domain and I can still fetch data from Firestore... – Robbert Feb 18 '21 at 11:57
I tested this and used it. Remember to add the rules in firestore rules and also add the domain you want to allow – kevin parra Feb 18 '21 at 20:25
Does signing in anonymously prevent you from doing so signin in with a specific account? – SumNeuron Apr 05 '21 at 15:59
I think you can have both systems – kevin parra Apr 12 '21 at 19:27

Restricting Cloud Firestore to a specific domain

2 Answers2

Linked

Related