0

How can we restrict firestore reads so that only the application's users are able to read from the database.

I am thinking of creating a user from the firebase console and hardcoding the user's credentials (email and password) and login to the app and subsequently, set this rule on the firebase console:

   allow write:  if request.auth.uid == "XXXXXXXXXXXXXXXXXXXX";

However, i don't want to hardcode the credentials inside the app due to security reasons.

Another workaround i know is to use firebase anonymous login and use this rule to restrict reads to unauthenticated users:

   allow write:  if request.auth != null;

What would be the best approach to this problem?

Frankenxtein
  • 483
  • 7
  • 18
  • Do you want the solution to be entirely based on Firestore Security Rules? Because the single most important thing you can do is through the UI—prevent the user from accessing screens or making database reads without the proper credentials. – trndjc Dec 09 '20 at 15:56
  • What you're trying to do isn't feasible except by the kind of workarounds you're already talking about here. The correct way to do this is add Firebase Auth into the app, and use that to restrict who can read and write data. This is how security rules were designed to be used. If you don't want to use rules, you can force users through your backend, but then you just have the same problems to solve in your backend endpoint code. – Doug Stevenson Dec 09 '20 at 15:56

0 Answers0