1

there is a security rule that can restrict access to only specific users here: restrict access to specific users

Frank's answer there was really helpful and straight forward, but what if i am not using firestore authentication ?!

all i want to achieve is to grant access to requests coming only from my domain...just the domain, without authentication...so no one can use postman for example to send GET or POST requests to my firestore database.

is there a way i can say something like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.origin.matches(/<https://myCompany.com>/);
    }
  }
}

any help would be much appreciated.

mohamed mostapha
  • 161
  • 4
  • 16

2 Answers2

3

There is no way to restrict to requests coming from a specific domain, and that would actually also be really easy to spoof. Something like Firebase App Check would help there, but that's not yet available for Firestore (yet).

The common way to limit who can access the database is to:

  1. Require the user to sign in to Firebase Authentication
  2. Require that they verify their email address.
  3. Validate the email address of request.auth.token.email in the security rules.

Also see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • i think i can apply an easy workaround to achieve the specific domain target i want, we will create business emails for our employees "employee1@myCompany.com", then we require them to sign in to firebase authentication, then in Firestore's security rules we can do this check: allow read, write if: "auth.token.email_verified == true && auth.token.email.matches(/.*@myCompany.com$/)"....Thanks Frank, have a good day :) – mohamed mostapha Sep 17 '21 at 22:14
  • Yup, that is pretty much the approach. – Frank van Puffelen Sep 17 '21 at 23:00
0

In october '22, App Check seems to be a functional solution for this use case.

Carlos Bonnin
  • 53
  • 5