0

im having a problem understanding the firebase Docs that explain how to authenticate an API to have write access in production mode

these are my rules

rules_version = '2';

  match /databases/{database}/documents {
    match /{document=**} {
      allow read;
      allow write: if request.auth != null;
    }
  }
}

and this is the code for initializing the firebase app

// Import the functions you need from the SDKs you need
import { initializeApp } from "firebase/app";
import { getAuth,signInWithEmailAndPassword } from "firebase/auth";
// TODO: Add SDKs for Firebase products that you want to use
// https://firebase.google.com/docs/web/setup#available-libraries

// Your web app's Firebase configuration
// For Firebase JS SDK v7.20.0 and later, measurementId is optional
const firebaseConfig = {
  apiKey: process.env.FIREBASE_API,
  authDomain: process.env.FIREBASE_AUTHDOMAIN,
  databaseURL: process.env.FIREBASE_DB_URL,
  projectId: process.env.FIREBASE_PROJECT_ID,
  storageBucket: process.env.FIREBASE_STORAGE_BUCKET,
  messagingSenderId: process.env.FIREBASE_MESSANGING_SENDER_ID,
  appId: process.env.FIREBASE_APP_ID,
  measurementId: process.env.FIREBASE_MEASUREMENT_ID,
  
};
// Initialize Firebase
const app = initializeApp(firebaseConfig);
export default app

any help would be appreciated

i've tried multiple methods but all of them seemed to require a login form which i dont want to have on my website, or thats what i understood at least but i could be wrong as i am a beginner at firebase

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
Hakim Oukil
  • 1
  • 1
    I cannot understand that - you want to authenticate an API to have write/read access and don't wanna user to login? If only authenticated user can write/read database then user must login. IDK, if you have any specific requirement. – Rajendra A Verma Aug 16 '23 at 20:12
  • again im sorry if its a stupid issue but, what i wanted is to have the api to be the only thing to have access to write/read access to the database – Hakim Oukil Aug 16 '23 at 21:22

1 Answers1

1

I've tried multiple methods but all of them seemed to require a login form which I don’t want to have on my website

Your write rule, i.e.

  match /databases/{database}/documents {
    match /{document=**} {
      //...
      allow write: if request.auth != null;
    }
  }

means that only authenticated users can write to your database.

If you don’t want to implement a mechanism to authenticate users (e.g. through a login) you should not use such a rule.

More generally, implementing security is usually a combination of authentication (check the user is who he pretends to be) and authorisation (grant a specific access to specific resource —e.g. a Firestore collection- to a specific user, or group of users). Doing one without the other does not make sense.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • isnt that a bad practice for production ? – Hakim Oukil Aug 16 '23 at 20:06
  • It all depends on your security requirements. – Renaud Tarnec Aug 16 '23 at 20:07
  • all i want is for the api to be the only thing to write/read from the database, noone else can besides the api – Hakim Oukil Aug 16 '23 at 21:21
  • 1
    For that you'll want to use into using Firebase App Check, rather than (just) security rules. But note that App Check is no guarantee that only your own code can call the API. Whenever you allow access directly from the client, there is no way to guarantee that - which is why you see everyone referring to sign-in in users. If you don't want to ask your users to enter credentials, you can use Firebase's **anonymous** authentication provider. – Frank van Puffelen Aug 16 '23 at 21:40
  • alright i'll give that a shot – Hakim Oukil Aug 16 '23 at 22:04