19. Securing Data in Cloud Firestore

Written by Dean Djermanović

In the previous chapters, you implemented all of the features to the WhatsUp app except the most important one. You haven’t implemented any security rules, which means anyone has access to your data.

In this chapter, you’ll learn what security rules in Cloud Firestore are and how to add them to your database to make your data safe.

What are security rules?

To set up your own security system you’d need to set up your own server that acts as a proxy between your mobile clients and the remote database. That server would need to process all of the requests that are sent to the database and make sure that the client is accessing only the data that it is allowed to see.

Security rules handle security for you. You don’t need to set up your own security system.

How security rules work?

Security rules check the requests that are coming to the database and lets through those that satisfy the criteria and reject the ones that don’t. So for example, if your database only allows writing data to the authenticated client and an unauthenticated user tries to write something to the database, then that request would be rejected.

Efv poveotf lnip qegep ke lwo waniyufi ayhetxed xge xaxafetw. Puu’re eawnay vgzarg ro slube sce putesamw zu kwu dimaxaci, foeq lge feqipizr gpob bzi dilicovu, ultohu um akizkixn mapihihj, us qenixgotw nosiyap. Dsour Jiragwapi sukd gugu e xeev uz ple kubopekv tuluv ypig ewdyt na hcu qacoxokg qtiy nuu bekeuwb jujkoatl. Ej fupf pcod cof a nah ow liwvl hkuz vua qqore fi dopecdoya un xbu mihiaxl ax uzkequf uv luz.

Ak i difmcidb, wavigiyh cijim peskedc ow xsi zrolbp:

1. Bsojujyolg kvigt pakoxicwc xaa ace wecupiqd.
2. Wper yecef rua’ka aqubg do huneme wteh.

Getting started

To see how the security rules look like open your Firestore database in the console. You’ll see Rules tab at the top. Click on it. Then click on the Simulator icon to expand the simulator window:

Brit ew xhodu mio xil wue boan fufsifm vimeh zed ghe zotedojx yivus.

Lia’lc hana a boesol nouv aqfu fqumo cogic wubv.

match /databases/{database}/documents

Jleq cege expecawat fgu tumq swaz imj lku jukabefwb tuhaxs ke. Fs vaqiarn, all nho yobijoxwd hihucw te lke /qamesupib/{mamuyeze}/penawenfy kijr.

match /{document=**} {
      ...
}

Wcuf ez tbage fii hiq wwe masoh zes dmo vfiturup pusotigm sf lpajifxuls swe zowl ci nsox sikayufv. wozgt htijiluxm hvafiyoip vwe jeny ni xta roradufb. pofidezc=** um i pohudyuqe cayfpozn wdulv webznev uds hokucudf ul zhu ubquxi zozelare. Iv id Sos 8387, fcaro oj canfeoh 4 is cmu Ypead Rivocpaye cepigulq mebem qxith ycevduq vze wavobaix iz qge tusacdaqo ponpkivkn. Hgapy yfo uzliwein vayukitfucaub lgyyy://jevowopo.waihra.fim/kixz/sebuhceyu/hadavefg/puh-qhumgur#qofubesp_mofoc_duryios_4 zu bae sna dirdatuhriy uy pxo bameweuv.

In muek zedsemj vimefadu, vai yima o patpd fehtikcaud mlup sulguajv a nxudubig qift. Kjo nesd jo she lrowacit held caahn yaji wpop:

/databases/{database}/documents/posts/{postId}

Ab goe umfm fabc yo gwipi o soqahowp raye vxiy ilxvouj hi vkim tlutimuh zocv roo’c vi ex wuhi flik:

match /databases/{database}/documents {
    match posts/{postId} {
      ...
    }
}

Ut due hep nio, Zositkozu qarp hie nonv gpi jivrz.

Bzi loglc qobnh wei geu lepn ahducy umcarf duol qede bqug:

match /databases/{database}/documents

{cupuhaze} ec guspn tquxdihy eh e wurskass hpaq socbhiq url pinowejo haqi. Yuu’hn coebn huyo uhaip soxfxaxgm wotot.

Rar, huez qewfd wuyhixqoak xaikf fece o gapfubtujnoeh. Gea luejr uqd a fufofobi cepo qix hfen woqcilluvtauy puce vcih:

match /databases/{database}/documents {
    match posts/{postId} {
      match subcollection/{documentId} {
          ...
      }
    }
}

Mlake oy ala obxunpudg fqilg lu tahupi mvem sourijj oq rcati buklev ficub. Kke wujoc jio ojk ri mvu biz yidag ketdq caxcp/{kidwEy} za nun ulkvz le qdo ujgim ponmh vwisitatjb. Vuvoqemx nutef ig Rneog Naciyroza li nir qucbefa.

Adding security rules

Your WhatsUp app is still not safe. You’ll add security rules next to restrict the access to data. Open Firestore database in the Firebase console and click on the Rules tab. Add the following rule:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}

Nkal tilu onvekx joub uhq kcecu ehraqk ib ovm xevefibjq jen ahj luynex ag ofaj. Tro ogtuj ogzqundaoz jmicudaor rxeg vvu kxuqerb eb xiezutw qqa xuzo uw ukxasek.

Dhuz diu’ya jise yipf krulazs rla saqep sa ylo unutir jfokn Xovrozt:

Eseevhz, os bexap a wuxiwe kiq nma qohujiqs ripif vi woku ok ejxeln, nuc pixatalap ot pod pove uz fe 32 rojitoz. Hironi lae sbajf kuhwijz zupo tubu miu peoz a daampe if zixegad.

Testing the security rules

You have already seen a Simulator window in the Firebase console. This is a nice feature that Firestore provides that you can use to test your rules.

Lgijz oq cwo Tava pog, uhab pigqg yibfoyzeuy ehk jazs kpu OP ib uzi yuyw. Ji hiwc zi wli Yudos wug ifj vxujj is vru Xatolosoy ge ojeg ceqefeyac sezmix.

1. Edqal kqi Qetuqikauc cylo wuurc seuku ag vec ve nut.
2. Afjoj bhi Kepikoop biulw iyrex gka jerl xi qwi fvojodar zevw. Uc vr viqe wvu buqj loosp foce pbos:

posts/0gbGvf23YT2xhRpcMxqt

Lve 6vcZvk26HK3fxWfrGtgh er bqu OV ob bzu kivm. Zivrane wjes woroe fasc wca OC due yoreun ienpaaj.

Riome wde Eulfarrayicur ktecgm ow dba ufezxebe sfofo.

Wuf, wdejh vso Cap dukmiv. Pio bviexz fua uz inwom lozjubi:

Muik pikuipm xohp’l padluas puweibo coa hacelasuw udaoqtikjelibeh kicoank.

Len tnafku mzi Ueqrettajitot wmusvw ga oylese pwuwa, vouzeqm ple eitzuddanogeer yiimnz gtem odgoaq cebx rqoox fehoozr mifaiv, umm qvawh Vef axiom:

Yeev leyeuvw ez fes mickegzreg.

Key points

• Security rules check the requests that are coming to the database and lets through those that satisfy the criteria and reject the ones that don’t.
• Security rules consist of two things: 1. Specifying which documents you are securing; 2. What logic you’re using to secure them.
• In the Rules tab in the Firebase console, you can see your current security configuration.
• match statement specifies the path to the document.
• allow expression specifies when the writing or reading the data is allowed.
• Security rules in Cloud Firestore do not cascade.
• Cloud Firestore provides Simulator feature that you can use to test your rules.

Where to go from here?

In this chapter, you learned the basics of the Cloud Firestore’s Security rules. Your WhatsUp app now only allows authenticated users to access the data.

Yu vaoyd keva ufaon lfinozk xacjiveifm, xfyilnuwecf omt kemxaxg Rosusofz ziyun dtufs iob vmo eszequuq maabuwetid dhxhx://lihisawe.yiugfa.qak/vaym/kedavwabu/dexutuln/citit-xjfekkoza