2

I have a database in firestore which is connected to a Android App, iOS App and a Website. Now for all these we need to sign in to access data.

My question is How can we specify a rule

  1. for Android and iOS app, so that users should sign in to access data.

  2. And another rule for Website, so that users who access website can decide whether to sign in or not but they can still access data.

Can anyone help me out?

Kevin Issac
  • 55
  • 1
  • 7

1 Answers1

5

There is nothing built in to Firebase Authentication or Cloud Firestore security rules to indicate what platform a request is coming from. To be honest, it sounds quite insecure: if a user doesn't have to sign in on your web app, what keeps all users from using that web app?

But if you really want to implement this functionality, the easiest way to do this, is to use anonymous authentication in the web app. With anonymous authentication, the user gets signed in without having to enter any credentials:

firebase.auth().signInAnonymously()

Now in your security rules, you can simply check for any authenticated user:

allow read, write: if request.auth.uid != null

This allows any authenticated user access to the data: from the web app this will be anonymous users, while from the native apps it'll be whatever sign in method you implemented there.

Once you add other sign-in methods to the web app, you can upgrade the user's anonymous account by linking the providers to a single user account.

Fair warning though that nothing stops users from creating their own app and running it against your project configuration. So they can create an Android/iOS app that also uses anonymous authentication. If you want to prevent that, things get quite a bit more complex...

Here's one way to do it:

  1. In the web app, sign the user in with anonymous authentication. This means that the user doesn't need to enter credentials
  2. In the web app, send a request to a Cloud Function you create.
  3. In the Cloud Function, verify that the request is coming from your web app. I have no guidance here, since it's unrelated to Firebase.

  4. If the request is coming from the web client, add a custom claim to the user account identifying the user as a web user.

    admin.auth().setCustomUserClaims(uid, { isWebUser: true })

  5. Once the client refreshes its token (this may take up to an hour, unless you force it to refresh), the custom claim will be present in all requests it makes. So you can from that moment on, check the claim in your Firestore security rules:

    allow read, write: if request.auth.token.isWebUser == true;
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807