'How do we secure a Firebase Firestore without using Firestore Authentication? Or is it a must?

At this moment we have 1 Firebase Function running that connects to a Firestore database instance. It correctly connects to the Firestore database using the rules below, however this is insecure.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

It is however unknown to me how we should secure this if we don't have Users in our application. It is not multitenant. We just do HTTP calls to the function and it saves something in the database.

To build user-based and role-based access systems that keep your users' data safe, use Firebase Authentication with Firebase Security Rules.

We do not have user data.

Note: The server client libraries bypass all Cloud Firestore Security Rules and instead authenticate through Google Application Default Credentials.

If we change our write rule to write: if request.auth() != null our application fails to save.

However, we can call getAuth() and then signInAnonymously(). But how does that make it more secure? And how long will the function remain authenticated?

We have read the documentation at https://firebase.google.com/docs/rules/rules-and-auth and https://firebase.google.com/docs/firestore/security/get-started. But as we don't have users in our application, it seems unclear to us how to secure Firestore using firestore.rules.

Concrete: How do we secure a Firebase Firestore without using Firestore Authentication? Or is it a must?

firebasegoogle-cloud-firestorefirebase-security


Solution 1:[1]

When not using Firebase Authentication, you cannot get details of user who is making the request. request.auth will be null in this case and hence request.auth() != null fails.

When you use signInAnonymously() the user is signed in with Firebase Auth and request.auth contains details of that user. However, once the user logs out of an anonymous account by any mean, there is no way to log back in with that account and user won't be able to access their data again.

If you use your own authentication method, using Cloud functions to retrieve data would be best so you can authenticate user using your auth system and then serve data if authorized.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Dharmaraj

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

How to set up Firebase Push Notification with Deep Link with Unity3D

Xcode build is missing expected TARGET_BUILD_DIR build setting

How to get TypeScript to recognize firebase import

FirebaseMessagingService Illegal Access

How do I access data from a top-level document in a Cloud firestore trigger with Cloud functions?

Firebase push notifications stops working after some time for all users in my Flutter app. Is this correct flutter fcm implementation?

Firebase deploy node modules issue

React-router did not work on production

In new Firebase, how to use multiple config file in xcode?

Flutter Firebase foreground push notification not showing but background is working

Datatables search, filter, and export with Firebase

Can't fill array with firestore data

"No such module 'Firebase'" when add Firebase into a library

FCM notification not retrieve when app is closed