0

I have a firebase app with all my code on the frontend (I know, not great). I've enabled App Check and my rules are currently:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Is it still possible for people to access my data by somehow using Cloud Functions in the dev tools console?

Note this app will not be released - I'd have an actual backend for this.

Henry Hudson
  • 3
  • 2
  • "Note this app will not be released - I'd have an actual backend for this." The backend will need to access the database somehow right? That's when you use the ["Admin SDK"](https://firebase.google.com/docs/admin/setup). It does bypass the security rules but again it is meant to be used on secure server side environments such as your server or cloud fuinctions only. As long as you don't lose the credentials and try to use it in client side, you are all good. – Dharmaraj Sep 04 '22 at 12:08
  • @Dharmaraj My `firebaseConfig` etc. is on the client side. Forgetting the need for the app to actually write data, if my rules disallow all read/write requests, is there anyway at all to access the database, i.e. from console? – Henry Hudson Sep 04 '22 at 12:12
  • The `firebaseConfig` web config that you are referring to is meant to be public. Checkout [this answer](https://stackoverflow.com/a/37484053/13130697) for more information. Also, Firebase SDKs are meant to be used on client side. Even if you don't have a backend server but have proper security rules setup as per your use case, you are good. – Dharmaraj Sep 04 '22 at 12:13
  • 1
    @Dharmaraj Thanks for taking your time to help me. – Henry Hudson Sep 04 '22 at 12:16

0 Answers0