How to write firestore rules with session cookies for authentication

Question

I have used this https://firebase.google.com/docs/auth/admin/manage-cookies to implement session cookies into my next.js application.

Having no client user authentication, I assume I have to handle all my firestore calls and permissions inside my server-side api; which begs the question. What use do I have of the firestore rules? Is that just obsolete?

I'm asking because I don't see a way to authenticate anything with the rules - seeing as the request.auth will always be null? I'm pretty sure I'm getting something wrong here since on that doc for session cookies I see no mention that that will basically invalidate the .rules, yet I'm struggling to implement them.

Answer 1

Serverside rendering in NextJs has most of its benefits tied to reading data. If your security for reading items in a collection is not important I would leave the rules open.

If you do need to lock down reads (and or writes) but still want to fetch the data from a serverside function I would suggest using Cloud Functions.

Cloud functions uses the Admin SDK which will always override your rules and allow your database operations to succeed in the edge case that you are using SSR.