0

I have a messaging app that uses firestore storage to store all attachments and realtime for all messages. I find myself with the problem that by default any user from the Internet can read data, in the case of storage, knowing the url, you access the file and in the case of realtime, the messages.

My idea is to propose two options to see which is viable:

  1. I have an app registered as a project, can the rules be configured to only allow requests that come from that app? How would these rules be made in store and realtime?

  2. It can be configured so that only users registered through the Authentication section have access to the storage and realtime information.

For this option two I have tried this rule:

   allow read, write, delete: if request.auth != null;

But I can still consult the resource from the internet and the browser without obviously being a registered user in my app.

a.castro
  • 1
  • 1
  • You menioned two different products here: Firestore and Cloud Storage. They are different things. When you talk about files and loading content with URLs, that sounds like Cloud Storage, not FIrestore. Could you edit the question to be more clear about which product you're using and how you are accessing the data you want to protect? Please be specific - we should be able to reproduce the behavior you describe using the steps you provide in the question. – Doug Stevenson Jan 18 '23 at 16:27

1 Answers1

0

You can't configure the security rules to only allow access from your own application, but nowadays you can configure App Check to do precisely that and can be applied to both Cloud Firestore and Cloud Storage.

App Check is not a guarantee though, so you'll still want to implement your security rules so that they only allow valid operations. How to do that is pure business logic of your application, so only you can determine how to implement - similar to how you implemented that business logic in the source code of your iOS app.

Also see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807