How to set rules to restrict anonymous read/write Firebase Database (Firestore and Realtime) Access to specific domain

Question

I have an app that requires users to anonymously read and write to a firebase database. I need a way to make it so users can only anonymously read/write from a specific domain. I've looked at similar stack overflow questions here

How do I lock down Firebase Database to any user from a specific (email) domain?

And I've tried rules like

{
  "rules": {
    ".read": "auth.token.email.matches(/.*@mydomain.wtf$/)",
    ".write": "auth.token.email.matches(/.*@mydomain.wtf$/)"
  }
}

But that seems to only pertain to emails.

https://firebase.google.com/docs/rules/basics#cloud-firestore All of the examples of rules I see on the official documentation don't seem to mention anything about domains.

Is there a way to restrict anonymous read/write access based on domain? If not is there another way to securely allow anonymous users to read/write? If there's another method that doesn't involve restricting the domain I'm all ears.

Answer 1

Is there a way to restrict anonymous read/write access based on domain?

No, it's not possible to restrict usage based on web domain. People are able to access a Firebase database from anywhere on the internet using the public REST API. An API is available for both Realtime Database and Firestore. It's not possible to validate that access is happening from within a specific app or browser domain.

is there another way to securely allow anonymous users to read/write?

Either you allow anonymous access, or you don't. There is no way to "secure" anonymous access any more than that.