Styjun

Is the "spacetime" the same thing as the mathematical 4th dimension?

Is there any site with telescopes data?

Lost passport and visa, tried to reapply, got rejected twice. What are my next steps?

My machine, client installed VPN,

How do I introduce dark themes?

How to bring home documents from work?

How to identify whether a publisher is genuine or not?

Contour integration with infinite poles

Worlds with different mathematics and logic

A word that refers to saying something in an attempt to anger or embarrass someone into doing something that they don’t want to do?

Incomplete iffalse: How to shift a scope in polar coordinate?

Speed and Velocity in Russian

What organs or modifications would be needed to have hairy fish?

How important is knowledge of trig identities for use in Calculus

Why are the wings of some modern gliders tadpole shaped?

Why is Pelosi so opposed to impeaching Trump?

Fix Ethernet 10/100 PoE cable with 7 out of 8 wires alive

Integrals from Brasilian Math Olympiad 2019

Is determiner 'a' needed in "one would call such a value a constant"?

Should I be on the paper from another PhD student that I constantly went on his meetings?

Can you cure a Gorgon's Petrifying Breath before it finishes turning a target to stone?

Why do Russians sometimes spell "жирный" (fatty) as "жырный"?

Calculate the Ultraradical

How many space launch vehicles are under development worldwide?

Cloud Firestore security, understanding a basic setup

Design for Facebook authentication in an iOS app that also accesses a secured web serviceTransport security has blocked a cleartext HTTPCustom security rules for Cloud FirestoreI don't have access to custom claims from firestore security rulesuser access and data control to cloud firestore when calls to firestore are made server sideAngular and Firebase: How to setup Cloud Firestore Security Rules?Firestore security rules - Unique usernamesHow to setup security rules for a Flutter app that uses Cloud Firestore?Do firestore security rules provide access to documents by default?Security rules Firestore

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

0

So I'm trying to get my head around Cloud Firestore security and how that would work in my case. From reading the documentation, I see that client libraries are secured using Firestore rules, and server libraries are secured using IAM.

What I'm looking to achieve is quite simple. I want anyone using my iOS app to be able to read my database (and only those people). I don't really want them to have to login with username and password or OAuth unless this is essential. I'm not totally clear on whether there's a need for anonymous authentication in this case.

I want only internal admin users to be able to write to the database, e.g. through some app (native or web) I will later build.

What security setup is appropriate?

ios google-cloud-firestore firebase-security-rules

share|improve this question

edited Mar 28 at 20:10

Doug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

asked Mar 28 at 19:51

Brad ThomasBrad Thomas

2,55466 gold badges2525 silver badges4848 bronze badges

add a comment
 | 

0

So I'm trying to get my head around Cloud Firestore security and how that would work in my case. From reading the documentation, I see that client libraries are secured using Firestore rules, and server libraries are secured using IAM.

What I'm looking to achieve is quite simple. I want anyone using my iOS app to be able to read my database (and only those people). I don't really want them to have to login with username and password or OAuth unless this is essential. I'm not totally clear on whether there's a need for anonymous authentication in this case.

I want only internal admin users to be able to write to the database, e.g. through some app (native or web) I will later build.

What security setup is appropriate?

ios google-cloud-firestore firebase-security-rules

share|improve this question

edited Mar 28 at 20:10

Doug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

asked Mar 28 at 19:51

Brad ThomasBrad Thomas

2,55466 gold badges2525 silver badges4848 bronze badges

add a comment
 | 

So I'm trying to get my head around Cloud Firestore security and how that would work in my case. From reading the documentation, I see that client libraries are secured using Firestore rules, and server libraries are secured using IAM.

What I'm looking to achieve is quite simple. I want anyone using my iOS app to be able to read my database (and only those people). I don't really want them to have to login with username and password or OAuth unless this is essential. I'm not totally clear on whether there's a need for anonymous authentication in this case.

I want only internal admin users to be able to write to the database, e.g. through some app (native or web) I will later build.

What security setup is appropriate?

ios google-cloud-firestore firebase-security-rules

share|improve this question

edited Mar 28 at 20:10

Doug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

asked Mar 28 at 19:51

Brad ThomasBrad Thomas

2,55466 gold badges2525 silver badges4848 bronze badges

share|improve this question

edited Mar 28 at 20:10

Doug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

asked Mar 28 at 19:51

Brad ThomasBrad Thomas

2,55466 gold badges2525 silver badges4848 bronze badges

share|improve this question

edited Mar 28 at 20:10

Doug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

asked Mar 28 at 19:51

Brad ThomasBrad Thomas

2,55466 gold badges2525 silver badges4848 bronze badges

edited Mar 28 at 20:10

Doug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

edited Mar 28 at 20:10

Doug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

asked Mar 28 at 19:51

Brad ThomasBrad Thomas

2,55466 gold badges2525 silver badges4848 bronze badges

asked Mar 28 at 19:51

Brad ThomasBrad Thomas

2,55466 gold badges2525 silver badges4848 bronze badges

1 Answer
1

active

oldest

votes

1

If you want everyone coming through a mobile app to be able to read everything in your database unconditionally, this is the only rule you need:

service cloud.firestore 
 match /databases/database/documents 
 match /document=** 
 allow read: if true;
 
 

The admin SDK and all other server SDKs always bypass security rules completely, so you don't need to do anything special there. The service account that you use just needs to have editor access to the project.

share|improve this answer

answered Mar 28 at 20:09

Doug StevensonDoug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok thank you. Does this mean that only mobile app users have read access? Read access won't be possible through (for example) the REST API?
  
  – Brad Thomas
  Mar 28 at 20:13
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  The REST API works exactly like the mobile SDKs in terms of authentication. You can think of it as yet another way for the world to access your data without being a privileged service account. If this sounds like a security hole to you, think about the fact that it's quite possible for someone to tear down your app, get your app's config, and use that to build a new app that does whatever it wants to your Firestore with the same config.
  
  – Doug Stevenson
  Mar 28 at 20:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok I appreciate you explaining
  
  – Brad Thomas
  Mar 28 at 20:39
  

  
  
  
  

add a comment
 | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55405830%2fcloud-firestore-security-understanding-a-basic-setup%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

If you want everyone coming through a mobile app to be able to read everything in your database unconditionally, this is the only rule you need:

service cloud.firestore 
 match /databases/database/documents 
 match /document=** 
 allow read: if true;
 
 

The admin SDK and all other server SDKs always bypass security rules completely, so you don't need to do anything special there. The service account that you use just needs to have editor access to the project.

share|improve this answer

answered Mar 28 at 20:09

Doug StevensonDoug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok thank you. Does this mean that only mobile app users have read access? Read access won't be possible through (for example) the REST API?
  
  – Brad Thomas
  Mar 28 at 20:13
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  The REST API works exactly like the mobile SDKs in terms of authentication. You can think of it as yet another way for the world to access your data without being a privileged service account. If this sounds like a security hole to you, think about the fact that it's quite possible for someone to tear down your app, get your app's config, and use that to build a new app that does whatever it wants to your Firestore with the same config.
  
  – Doug Stevenson
  Mar 28 at 20:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok I appreciate you explaining
  
  – Brad Thomas
  Mar 28 at 20:39
  

  
  
  
  

add a comment
 | 

1

If you want everyone coming through a mobile app to be able to read everything in your database unconditionally, this is the only rule you need:

service cloud.firestore 
 match /databases/database/documents 
 match /document=** 
 allow read: if true;
 
 

The admin SDK and all other server SDKs always bypass security rules completely, so you don't need to do anything special there. The service account that you use just needs to have editor access to the project.

share|improve this answer

answered Mar 28 at 20:09

Doug StevensonDoug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok thank you. Does this mean that only mobile app users have read access? Read access won't be possible through (for example) the REST API?
  
  – Brad Thomas
  Mar 28 at 20:13
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  The REST API works exactly like the mobile SDKs in terms of authentication. You can think of it as yet another way for the world to access your data without being a privileged service account. If this sounds like a security hole to you, think about the fact that it's quite possible for someone to tear down your app, get your app's config, and use that to build a new app that does whatever it wants to your Firestore with the same config.
  
  – Doug Stevenson
  Mar 28 at 20:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok I appreciate you explaining
  
  – Brad Thomas
  Mar 28 at 20:39
  

  
  
  
  

add a comment
 | 

If you want everyone coming through a mobile app to be able to read everything in your database unconditionally, this is the only rule you need:

service cloud.firestore 
 match /databases/database/documents 
 match /document=** 
 allow read: if true;
 
 

The admin SDK and all other server SDKs always bypass security rules completely, so you don't need to do anything special there. The service account that you use just needs to have editor access to the project.

share|improve this answer

answered Mar 28 at 20:09

Doug StevensonDoug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

service cloud.firestore 
 match /databases/database/documents 
 match /document=** 
 allow read: if true;
 
 

share|improve this answer

answered Mar 28 at 20:09

Doug StevensonDoug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

answered Mar 28 at 20:09

Doug StevensonDoug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges

answered Mar 28 at 20:09

Doug StevensonDoug Stevenson

110k1212 gold badges128128 silver badges152152 bronze badges