How to block Google Firestore access from the Google Firestore api-CodePudding

I am working with Google Firestore in native mode and CRUD'ing data within it using the "cloud.google.com/go/firestore" api in Go. Access to the data is wide open as long as you know the project id and using the Firestore API on a server. I don't want to try the rules until I figure out how to secure the data from server attacks that. Again, all the API requires is the project id to access the data so I need to lock that down firstly before I move any further. Rules are only for mobile/web clients from what I read and Server side clients completely bypass the rules. Please help. I do not want to use the Firebase API because attackers can still use the Firestore api to access the data.

CodePudding user response：

It's unclear from the limited information in your question but, your Firestore database is not open to anyone with the Project ID.

The service is only accessible to any thing (human|machine) that has valid credentials. Either humans with e.g. Gmail accounts or Service Account key holders.

In either case, only identities that you've explicitly added to the project will be able to access its resources and then only those with the appropriate IAM roles|permissions.

Google provides an elegant facility called Application Default Credentials (ADCs) that simplifies authenticating clients.

I suspect that your code is using ADCs to authenticate you to the project|service.

CodePudding user response：

Access to the data is wide open as long as you know the project id and using the Firestore API on a server.

If that is a concern, consider disallowing all access in the Firebase security rules for your Firestore database.

Also have a look at my answer here to understand why sharing your project ID is not a security concern, and in fact is necessary if you want to allow direct access from client-side devices: Is it safe to expose Firebase apiKey to the public?. If you don't want to allow direct client-side access, closing down the security rules (as they are by default, unless you choose test mode when creating the database) is the way to go.