My database has due to expire in two days because of rules security. I changed the default test rules yesterday, it is possible that they have not yet been noted, but to make sure they are sufficient to keep my database from expiring, I am asking you about it. Are these rules ok? Is it all to prevent the database from expiring?
Firestore database -> Cloud Firestore rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if
request.auth.uid != null;
}
}
}
Realtime Database rules:
{
"rules": {
"Users": {
"$uid": {
".read": "$uid === auth.uid && auth != null",
".write": "$uid === auth.uid && auth != null",
}
}
}
}
CodePudding user response:
The rules you show don't have an expiration date, so data access won't change based on the date anymore. Whether they're "OK" is a different matter though.
The Realtime Database rules you show give each user access to only their own data, which is a common practice and shown in the Firebase documentation on content-owner only access.
The rules you're showing for Firestore though, give access to anyone who successfully called the Firebase API to sign in, which is a much less strict requirement. If you use Firestore, I recommend also tightening the security there. And if you don't use Firestore, I recommend turning all access off with allow read, write: if false;