Home > database >  Firestore rules when a database is shared across multiple instances
Firestore rules when a database is shared across multiple instances

Time:12-08

Imagine there is a Firestore database that is used by both 1 - a static front-end client and 2 - a node.js server.

Essentially, only a domain and an ip address are allowed to use that database, which works pretty well.

The tricky part:

  • we want to have the node.js server read/write on the entire database
  • but the web-client should only be allowed to to read/write on the same database if a user is authenticated.

The issue is that with rules it is not possible to whitelist our ip address.

So we tried using this:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }

Then the node.js server can signInAnonymously, while the front-end client needs to authenticate a user before accessing any of the content.

My question

Is signInAnonymously secure enough? Because anonymous auth is on, would it be possible for someone to signInAnonymously from within our front-end? Would it be possible for someone to spoof some header and pretend to be our domain only to authenticate themselves as anonymous?

What would the best practice for a case like this be?

CodePudding user response:

May be I can explain this in two parts,

  • First, there is no need for someone to spoof some header and pretend to be your domain. The reason is if someone can login as an anonymous from your domain directly they can access all the information which you have allowed them to access

  • Second, and the most important one is, I think you have got the NodeJS server side access of firebase wrong. If you want to access the whole database from the node service use Firebase admin SDK and you don't have to do any kind of authentication to read to write when you connect from firebase admin SDK since you have admin access.

  • FYI Also you can whitelist your auth ip from the Authentication settings where you can allow whitelisted domains

  • Related