Title kind of says it all. Right now I have the following rules:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth != null
allow write: if request.auth != null
}
}
}
which I updated from allow read: if true because apparently that is insecure. I have some webpage stats that I would like to share with visitors who may not have an account or are not logged in. How can I securely allow reads for this?
I understand that you have some parts of your Firestore database that only authenticated users should be able to read and other parts that should be public ("I would like to share with visitors who may not have an account or are not logged in").
For that you should declare different access rights for the different collections, as follows, for example:
service cloud.firestore {
match /databases/{database}/documents {
match /some_public_collection/{document} {
allow read, write: if true;
}
match /some_private_collection1/{document} {
allow read, write: if request.auth != null;
}
match /some_private_collection2/{document} {
allow read, write: if request.auth != null;
}
}
}
To answer your question "how to allow reads by not logged in users from a specific domain?":
I'm not sure what you mean by domain here. If you mean that the user shall have an email which is from a specific email domain, the user must be loggedin in order to check his/her email (through request.auth.token.email, see here for more details).
