Firebase: Firestore security rule for production

Question

Below is a sample security code I am trying to implement in production but it keeps throwing following error.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if request.time < timestamp.date(2022, 4, 13);
    }
  }
}

Error:

Missing or insufficient permissions.

I only want a "read only" database for production. What am I missing here?

Dharmaraj · Accepted Answer · 2022-04-14T13:26:06.870

4

allow read: if request.time < timestamp.date(2022, 4, 13);

This statement returns true only when time of current time is before 13th April 2022 that was yesterday.

match /{doc=**} {
  allow read: if true;
}

You can switch to rules shown above to always allow read operations.

However, these rules allow anyone on the internet to read your database (that should be fine for this specific use case) but you should write secure rules if you also have any other use case.

Checkout more about security rules in the documentation. Also checkout Get to know Cloud Firestore | Security Rules video on Firebase's Youtube channel.

edited Apr 14 '22 at 13:26

answered Apr 14 '22 at 13:05

Dharmaraj

47,845
8
52
84

The main problem is i have multiple database within the firestore and in future I may add some more so is there a way I can match all of them in a single command instead of multiple commands – Bhavya Sharma Apr 14 '22 at 13:24
@BhavyaSharma95 I believe you are referring to multiple `collections`. Firestore cannot have mutliple instances in a single project. The `match /{doc=**}` is a recursive wildcard and matches all collections. So all collections can be read by anyone. Check my updated answer. – Dharmaraj Apr 14 '22 at 13:27
**Recursive wildcard** so even with app check a user can abuse my bandwith – Bhavya Sharma Apr 14 '22 at 13:33
@BhavyaSharma95 you are allowing anyone to read your database. They can repeatedly request data yes. But the same case can happen even if a user has access to a specific collection/doc. It'll be best to contact Firebase support if that ever happens. – Dharmaraj Apr 14 '22 at 13:35
Is there a way to throttle the request from security rules – Bhavya Sharma Apr 14 '22 at 13:46
@BhavyaSharma95 checkout [How do I implement a write rate limit in Cloud Firestore security rules?](https://stackoverflow.com/questions/56487578/how-do-i-implement-a-write-rate-limit-in-cloud-firestore-security-rules) – Dharmaraj Apr 14 '22 at 13:46

score 1 · Answer 2 · answered Apr 14 '22 at 13:19

1

if you want a read-only database then you're probably looking for the ruleset something like this:

allow read; 
allow write: if false;

And, just an extra tip, give your users the most minimal permissions. That means, in this case, itself, you probably don't want to give your users read permission to the entire database.

So, it's always a better choice to allow reading or writing only to the specific collections or documents.

answered Apr 14 '22 at 13:19

Sreelal TS

912
6
11

The main problem is i have multiple database within the firestore and in future I may add some more so is there a way I can match all of them in a single command instead of multiple commands – Bhavya Sharma Apr 14 '22 at 13:24

Firebase: Firestore security rule for production

2 Answers2