I currently have a GCP/Firestore Cloud Function writing to Firestore. And a NuxtJS client reading from said Firestore DB.
My NuxtJS client does not use user-based authentication. It is a news site that shows publicly available information.
I'm trying to configure the Firestore security rules to only allow reading/writing/updating from applications with an active service account for this Firebase project.
Currently, I'm getting an error on my client that says FirebaseError: Missing or insufficient permissions.
I have verified that the service accounts in question are still active and have the appropriate permissions.
I'm guessing that I'm missing something in my security rules.
My current security rules are as follows:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null; }
}
}
Any direction is greatly appreciated.
I'm trying to configure the Firestore security rules to only allow reading/writing/updating from applications with an active service account for this Firebase project.
The security rules are effective on requests made using the Firebase Client SDKs only. The Admin SDK which uses a service account bypasses all security rules and has complete access to your Firebase project. Since the users don't have to login in your application, you can set all the permissions to false:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
With these rules, only the Admin SDK can make requests to Firestore. If you are using runtime config to store your credentials, make sure the service account is in private so it can be access on server side only.
Related
I have received an email from Firebase stating the title of this post with these details:
We've detected the following issue(s) with your security rules:
any user can read your entire database
any user can write to your entire database
My Firebase database rules are as follows:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
I am not sure what to do. For my app users need to be able to read mostly and write (sometimes to submit stuff). Does anyone have tips to secure this better, or even if I can do anything?
Do you use Firebase Authentication in your app? If yes, then change the security rules to this :
allow read, write: if request.auth != null;
This rule will allow only logged-in user to get and write data to database. This should be a good starting point for a simple app. However, if you are not using Firebase Authentication, then you must implement your own authenticate scheme, but this is just not recommended for security
I use a service account to interact with my firestore database (native/realtime mode) from my backend application.
I'm trying to reduce the privileges of the service account. When I set permissions to:Firebase realtime database admin all my calls fail with permission denied.
When I set them to Firebase Admin (i.e. access to everything, also image storage, functions etc) the api calls work perfectly.
P.s. since it's a service account it doesn't need security rules, so they are set as:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
How can I set permissions only to the database?
For who has the same problem, I figured out the correct permission: Cloud Datastore User
This works even if you are using a firebase/native mode database not in Datastore mode.
sorry for being naive. I'm a little confused about authentication with kreait/firebase-php package. I defined some rules at firebase console, like:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow create,delete:if request.auth.uid == true;
}
}
}
The problem is that, even if I change the rule, the behavior of the services(CRUD) will work the same way. It appears that the JSON document (service account downloaded from google) has all permissions or does not require firebase rules.
In my case, I want to restrict access and database operations to users where they don't have authentication and permissions.
I am currently checking the email / password. If the request is true, the method will return a token. After that, I persist the token in CACHE and delete it when the user logs out. With each request, the middleware checks whether the token exists in CACHE. That way, it will only help me to restrict the user's access pages. How do I restrict the operation of the database (CRUD)? Thank you all!
This behavior is expected. Access to Firestore coming from code initialized with a service account will always bypass security rules. Security rules only apply to access from the web and mobile client SDKs, and the REST API when provided with a Firebase Authentication token.
I am running a simple single page web app via firebase with which you can request information from cloud firestore.
Those are my security rules:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read ;
}
}
}
Problem With these rules, anyone who knows the link of my database can of course access the databse.
Question Is there any way to change these rules, so that you can only access the database through my web-app (with anonymous login)? Thanks.
What you're trying to do is not possible at all, even with security rules. You can control who can access what with security rules, but it's not possible to control where they're coming from, or the context of the request.
As written in Firestore documentation here I have a security rule like this:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, update, delete: if request.auth.uid == userId;
allow create: if request.auth.uid != null;
}
}
}
this rule works when I get authenticated with client library but not when I use server library as written in firebase documentation
Note: The server client libraries bypass all Cloud Firestore Security Rules and instead authenticate through Google Application Default Credentials. If you are using the server client libraries or the REST or RPC APIs, make sure to set up Cloud Identity and Access Management for Cloud Firestore.
How to replicate this security rule to service accounts roles?
Code that uses the Firebase Admin SDK with a service account to access Firestore currently can not be scoped to a particular user ID for the purpose of enforcing security rules. All access with the Admin SDK will bypass security rules and have full control of the database.
Note that this is different than Realtime Database, which does have such a feature.