0

For a side-project that is about to launch, I want to set-up a signup form where people can show their interest in getting an invite. I use Firestore for the application and want to create a new collection where I store all the potential users.

As this form is published on the company website, I can not use security rules using authentication, as everybody has to be able to submit the form. For this reason, the write permission is public.

Are there any measures I could take to prevent a smart user to infinitely make write requests? I aim to keep the sign-up process as accessible as possible.

Thank you!

Thomas van Broekhoven
  • 858
  • 7
  • 18
  • 1
    Are you using Firebase Authentication to sign in and uniquely identify users? – Doug Stevenson Aug 27 '19 at 12:33
  • I am for the main application, which is running on a subdomain. – Thomas van Broekhoven Aug 27 '19 at 12:34
  • 1
    You'll have to make use of the Firebase Auth UID to make sure that the user can read and write only certain documents that match the UID. https://firebase.google.com/docs/firestore/security/rules-conditions#authentication – Doug Stevenson Aug 27 '19 at 12:41
  • Thank you for your input! However, as visitors are only signing up for an invite-list, and not for the actual application, I do not use authentication. Would you suggest using Firebase's authentication (with e.g. a random password) to let users sign-up? The form only consists of an e-mail address field. – Thomas van Broekhoven Aug 27 '19 at 12:47
  • 3
    You'll have to make some use of auth in order to impose any sort of control over who can write what. How you do that is up to you. Without auth, security rules can't identify the user and place limits on what they can do. – Doug Stevenson Aug 27 '19 at 12:50
  • Alright, thank you very much! I will implement auth to secure the database here too (before going to Madrid for the summit haha) – Thomas van Broekhoven Aug 27 '19 at 12:55
  • 2
    You could implement anonymous authentication and then use a write-rate limit as shown here: https://stackoverflow.com/questions/56487578/how-do-i-implement-a-write-rate-limit-in-cloud-firestore-security-rules – Frank van Puffelen Aug 27 '19 at 13:17
  • @FrankvanPuffelen Thank you, I just implemented anonymous authentication and it works great! – Thomas van Broekhoven Aug 27 '19 at 14:56

1 Answers1

2

As Doug explained in the comments, it is not possible to protect the Firestore database other than using security rules. In order to do so, Firebase Authentication is required. For more information, visit: https://firebase.google.com/docs/firestore/security/rules-conditions#authentication

In my case: I applied Frank's advice (see comments) and implemented anonymous authentication to limit the number of writes possible per user. Thank you!

Thomas van Broekhoven
  • 858
  • 7
  • 18