0

I am making an android application in which i am authenticating my user from firebase auth and only reading data from firestore(till now).

recently i got an email from firestore about security rules and my data is open and so on... it goes like:-

You chose to start developing in Test Mode, which leaves your Cloud Firestore database completely open to the Internet. Because your app is vulnerable to attackers, your Firestore security rules were configured to stop allowing requests after the first 30 days. In 1 day(s), all client requests to your Firestore database will be denied. Before that time, please write strong security rules that allow your app to function while appropriately protecting your data. Analysis is run daily; if you've modified your rules in the last 24 hours those changes may not be accounted for.

Can someone tell me how i can get out from this, and i also want to upload this app to the playstore in future.

Thanks in advance.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Aman Sharma
  • 11
  • 3

1 Answers1

1

Review the section named "rules" in your firebase console (firestore section).

If you only read data from firestore you can change your rules by this. It makes firestore readonly.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if true;
      allow write: if false;
    }
  }
}

Otherwise you can limit write permissions to authenticated users:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if true;
      allow write: if request.auth != null;
    }
  }
}

And setting different rules as match argument:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /one_collection_name/{document=**} {
      allow read, write: if true;
    }
    match /other_collection_name/{document=**} {
      allow read: if true;
      allow write: if request.auth.token.admin == true;
    }
  }
}

There are multiple possibilities, as described in https://firebase.google.com/docs/firestore/security/get-started.

jaredbaszler
  • 3,941
  • 2
  • 32
  • 40
Tonio
  • 1,642
  • 1
  • 4
  • 10
  • i am aware of these basic rules, but my senior told me that if i only read data from firestore then it will decline the client access even if i update the rule for read only (i.e allow read if true), he also mentioned that if i want my firestore to work everytime then i also have to perform create and update operation, else if i only read from database then Firebase will assume my project as inactive project and may close the client access. is this true?? – Aman Sharma Nov 03 '21 at 12:07
  • Sorry @AmanSharma. I don't know about that, but I've never had a Firestore project on readonly indefinitely – Tonio Nov 03 '21 at 12:26