Authenticate with Firebase Anonymously - firebase

I am currently trying to let users achieve read access my Firestore database with anonymous authentication.
The reason I want to do this is because I keep getting emails saying "Your Cloud Firestore database has insecure rules" and I do not want to have the user to sign in.
To combat this problem I am making everyone an anonymous user when the application opens but I am having trouble with writing the rules that approve read access to anonymous users.
The function below is working:
func signInUser(){
let auth = Auth.auth()
auth.signInAnonymously{(result, err) in
if let err = err{
print(err.localizedDescription)
return
}
print("User Logged in anonymously")
}
}
How can I write a rule on the firebase console to allow read access only to the Firestore collections.
Also is this a bad idea?
Current Rule:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true
}
}
}

I suggest reading the documentation on security rules to understand how user authentication works with security rules.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
Whether or not this is a good idea is entirely up to you. You'll have to decide if you want all users to be able to read all data.

Related

How can give access to read but not write in firebase firestore settting rules

This is what I have in my rules setup but it does not allow me to view fetched data from firestore unless I'm logged in.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /Photos/{PhotoID}/{document=**} {
allow read, write: if request.auth.uid != null
}
}
}
The request.auth.uid != null will return false if a user requesting data is not logged in with Firebase Authentication. If you want anyone to to fetch data then the rule should be allow read: if true;.
I'm not sure about your use case here but it's best to allow users to read/write their own data only. For that you'll need to store their UID somewhere in the document.
Then rules in your questions apply for Photos collection and all of it's sub-collection as you are using a recursive wildcard.
You may visit there docs here
Basics of firebase security rules
In addition to #Dharmaraj answer:
The code you provided above helps you check if user is logged in, if logged in then it allows both read and write operation else disallows/denies the operation.
Then if you want a free access to your database such that it will not check whether logged in or not , remove the if condition and only end the command with semicolon[;],
But be careful because if you allow both read and write access without checking if user is authenticated or not, then you endanger your data to the entire world.
To allow only read access:
rules_version = '2';
service cloud.firestore {match /databases/{database}/documents
{
match/Photos/{PhotoID}/{document=**} {
allow read:if true;
allow write: if false;
}
}
}
To allow only write access:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match
/Photos/{PhotoID}/{document=**} {
allow read: if false;
allow write:if true;
}
}
}

How to configure the rules of a Firebase project to be safe?

Hi I have the Firebase project, and when I create the databases, I create some rules for testing.
Now, they expire, and they close my project.
It is my first time working with Firebase projects, and I have no experience. I show you how I have defined the rules for both Cloud Firestore and the Realtime Database.
The project is an application in which users can register and leave their comments.
How should I set the rules for my databases to be secure?
How should I write my rules code?
I was absent from my project for a few days and they wrote to me from Google, which closes my project in two days. I have looked for information, but I do not know how to create the rules so that they are correct and my project also works
I EDIT MY QUESTION to add details
In my application I only want registered users to be able to write comments.
The alert that Firebase shows me is the following:
"Its security rules are defined as public, so anyone can steal, modify or delete data from its database."
The databases are empty, so there are no records yet.
Can you help me? Firebase will close my project if I don't write the rules right, the rules shouldn't be public.
I read the documentation that Firebase offers, but I don't really understand how to create my rules.
They show something like this, for authenticated users:
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
And on the other hand they show these rules:
**// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}**
I don't know which one I should use exactly, and how I should write them, so that in my React Native app users can leave feedback.
Can you help me ?
I show the code of the rules of my databases
//REALTIME DATABASE
{
"rules": {
".read": true,
".write": true
}
}
//CLOUD FIRESTORE
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// This rule allows anyone with your database reference to view, edit,
// and delete all data in your Firestore database. It is useful for getting
// started, but it is configured to expire after 30 days because it
// leaves your app open to attackers. At that time, all client
// requests to your Firestore database will be denied.
//
// Make sure to write security rules for your app before that time, or else
// all client requests to your Firestore database will be denied until you Update
// your rules
match /{document=**} {
allow read, write: if request.time < timestamp.date(2020, 9, 2);
}
}
}
You can use the following rule where only authenticated users can write and read to the database.
For Cloud Firestore:
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
For Realtime Database:
// Only authenticated users can access/write data
{
“rules”: {
“.read”: “auth != null”,
“.write”: “auth != null”
}
}
Speaking through experience, there are two main ways of securing your data:
Set a field in the document such as "userID" and only allow CRUD when the auth.uid value matches this field.
Use the collection-document-collection nature of cloud firestore and write a rule where you allow a user to CRUD all of their own collection. E.g.
match /users/{userID}{
allow read: if request.auth.uid ==userID;
allow write: if request.auth.uid == userID;
match /userDocs/{docID}{
allow read: if request.auth.uid == userID;
allow write: if request.auth.uid == userID;
}
}
Ideally you need to allow only authenticated users to access resource. From you code above
{
"rules": {
".read": true,
".write": true
}
}
The above will allow anybody to read and write to the database even to unauthenticated users.
for firestore as you can see the rules state that it should only allow full priviledge read and write to cloud firestore if only the date has not passed (2020,9,2)
VISIT the link To learn more about firebase database rules
and visit
to learn about firestore rules
You can use firebase authentication for your users then if they are authenticated they can access the database.

How can I set the Firebase Firestore rules if I want the user can access even there's no current user

I'm using Firebase Firestore to collect user information in my current Android app. But I didn't quite get the Firestore rules. I write the rule like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
But I want to user access the database even there's no current user because when the user sign up I'm checking the database if there's a current phone number in the database if not user can sign up this phone number. Thank you
// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
Not recommended: Read and write access to all users.
Have a look at Fix insecure rules documentation from firebase for more details.

Retrieve a document in firebase

I have a database at firebase and I would like to retrieve a particular document which I know its name (will be called documentA) and also I have a working rule at server.
How can I get a single document which fullfil the security rules? I am trying with: val docRef = db.collection("cities").document("SF").get() but I don't know how to include user auth.
Database has a structure like this
cars
|
|-documentA
|-documentB
|-documentC
Security rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /cars/{carId} {
allow read, write: if request.auth.uid == resource.data.userId;
allow create: if request.auth.uid != null;
}
}
}
Firebase user authentication is included automatically for users who are signed in. Other than writing the code to signing in the user, there is no code you can write to add authentication manually. If your security rules require an authenticated user, you will have to arrange for that sign-in before the query is made.

make calls to firestore with auth-rules

I recently changed the firestore rules to the following rules:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
This should only allow authenticated users to access firestore. I'm using react-native as the frontend framework and it signs the user in anonymously if the user isn't already logged in. So all the requests going to firestore are from an authenticated user(anonymous or logged-in). However, after I updated the rules, the app isn't fetching anything from firestore. Are there any changes that must be done in the frontend after updating firestore rules?
[UPDATE] react-native throws me this error: FirebaseError: [code=permission-denied]: Missing or insufficient permissions.
You've got an extra match statement in there that's messing things up. If you just want all your authenticated users to have full read, write access to your full Firestore database, you'd just use:
service cloud.firestore {
match /databases/{database}/documents {
allow read, write: if request.auth.uid != null;
}
}

Resources