1

Building an app, using Firestore database for its content.

Rules are:

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /{document=**} {
      allow read: if true
      allow write: if request.auth.uid == request.resource.data.author_uid
    }
  }
}

As the warning says, I have allow read just set to true, which I understand, is a problem.

How do I make it so my Flutter app can read the contents of my Firestore database, but any random user can't? The app is public/free...etc, so I don't want people to have to login.

Do I give my app some kind of code and check against that? Or...?

Update: I see that there is anonymous login, which could solve the issue, but is that overkill? Does it actually help? Will it then keep my app from being used offline? ...etc

Dave
  • 28,833
  • 23
  • 113
  • 183

2 Answers2

4

While you can nowadays limit abuse from non-authorized code with Firebase App Check, this is no guarantee. There is no guaranteed way to secure access based on it being your app, or your code. That's simply not how security works with cloud based services.

If you want to limit access to legitimate users of your app, you will have to sign those users in and somehow legitimize them.

What legitimate means here is up to you of course. Whether that is "they are signed in" (request.auth != null), or that they verified their email address so you can contact them (request.auth.token. email_verified == true), or one of the many other options, it's all possible.

Also see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Great answer Frank. – Lewis Jan 16 '20 at 04:28
  • In looking through your other answers and their links, it looks like signing them in anonymously might be the perfect solution. Doesn't that solve both problems? Not requiring them to sign in (done automatically behind the scenes by the sound of it?) And being able to utilize the auth in firebase rules. Am I misunderstanding that? https://firebase.google.com/docs/auth/android/anonymous-auth – Dave Jan 16 '20 at 14:57
  • Anonymous sign in gives the user a UID, without requiring them to enter credentials. If that is what your app needs, then go for it. – Frank van Puffelen Jan 16 '20 at 15:05
0

In the Rules Section of the Database, try to code them like, if the user is logged in then he will have access. Follow this link for more info.

Radha Manohar
  • 409
  • 3
  • 15
  • 1
    As mentioned in the original post, the users won't be logged in. Or have any kind of email authentication...etc for that matter. It's just a free app with no credentials or email required. – Dave Jan 16 '20 at 14:53
  • Even if the App has no credentials, the data base should not be open, and in your case if need to code the rules such that firebase serves only if the request has been sent from your app. if not data should not be retrieved – Radha Manohar Jan 17 '20 at 05:55
  • 1
    that's exactly my question. How can I add rules to limit the reading of the data from only my app without requiring the user to log in? – Dave Feb 02 '20 at 16:53