0

Straight-forward: I'm using REST API calls and I want the rules to accept the calls only if they contain the web key of my database.

My rules are:

match /{document=**} {
  allow read, write: if request.key == "my_Web_API_key";
}

But when I call

GET https://firestore.googleapis.com/v1/projects/my-project/databases/(default)/documents/users?key=my_Web_API_key

it returns me (403) Forbidden. I already tried things like

match /{document=**} {
  allow read, write: if request.auth.uid != null;
}

but it gave me the same result.

How can I write the rules to only accept REST API calls that contain the web API key?

Daniel
  • 7,357
  • 7
  • 32
  • 84

1 Answers1

0

You're not using the Firestore REST API correctly. It doesn't accept a key parameter, and you can't pass arbitrary values to use in rules (that is actually not very secure at all). According to the API documentation, you must authenticate with either of these:

  • Use Firebase ID tokens to authenticate requests from your application's users. For these requests, Cloud Firestore uses Cloud Firestore Security Rules to determine if a request is authorized.

  • Use a Google Identity OAuth 2.0 token and a service account to authenticate requests from your application, such as requests for database administration. For these requests, Cloud Firestore uses Identity and Access Management (IAM) to determine if a request is authorized.

If you require a Firebase Auth user to make the request, then you will have to use the first options.

If you provide neither of these tokens, then the API will only be able to read documents that do not require any authentication. That means you can't require request.auth.uid != null.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • So what does the web API key stand for? I thought I could use it to authenticate my REST API calls but seems like it's useless. If I allow read/write in the rules, I don't need the key, if I deny read/write, the key doesn't allow me to access the database. – Daniel Aug 08 '20 at 04:01
  • I don't know - where did you get it? Are you referring to some documentation about how to use it? The Firestore REST API documentation I linked to is clear on how to do auth. You might be referring to something else. – Doug Stevenson Aug 08 '20 at 04:22
  • And if your rules don't require auth, then your database is effectively open to the public by anyone who is using the REST API or any of the client libraries. That is by design. If you don't want a public database, then you should require auth in your rules, and your REST API calls should properly provide auth. – Doug Stevenson Aug 08 '20 at 04:23
  • In the proect settings. There I can find the Project Name, Project ID, Project Number and **Web API Key**, which I thought I could use to do some kind of auth. – Daniel Aug 08 '20 at 04:31
  • I read [this question](https://stackoverflow.com/questions/57029275/firebase-cloud-firestore-rest-api-authentication-with-only-web-api-key) and I think it's clear to me now. – Daniel Aug 08 '20 at 04:33
  • That value is not useful for authentication here. – Doug Stevenson Aug 08 '20 at 04:33