1

I am creating a Flutter mobile app and want to use Cloud Firestore to store some data that the clients should access. So far, there is no user-specific data, so I don't want my users to have to login in the app. What security rules do I need to specify to allow clients to read data, but deny public access (from "outside" of the app)?

These are the security rules I have setup so far.

service cloud.firestore {
    match /databases/{database}/documents {
        match /{document=**} {
            allow write: if false;
            allow read: if request.auth.uid != null;
        }
    }
}

Under Authentication --> Sign-in method, I have enabled anonymous authentication. But I'm not sure if the security rules are correct and what Dart code I need in the client to get the desired behavior (no need for client to specify credentials, but protection of my data from access outside of the app).

Improve this question
2
  • 1
    So you say "so I don't want my users to have to login in the app" and in the same time you say "What security rules do I need to specify to allow clients to login". So there is a misunderstanding. Commented Dec 28, 2018 at 11:28
  • Sorry, I edited the question. I don't want my users to login manually, but I'm not sure if I have to do something on the client side to authenticate the client (automatically, without the user noticing). Commented Dec 28, 2018 at 11:33

1 Answer 1

Reset to default
3

so I don't want my users to have to login in the app.

But you authenticate them. Even if it's an anonymous authentication, it's still an authentication.

What security rules do I need to specify to allow clients to read data, but deny public access (from "outside" of the app)?

The exact rules you already have.

But I'm not sure if the security rules are correct.

The rules are correct.

what Dart code I need in the client to get the desired behavior (no need for client to specify credentials, but protection of my data from access outside of the app).

Your code should look similar to this.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Ok thank you, so just to clarify: This will create a new, anonymous user for every client session, right? Seems kind of weird but if that's the way to go...
A single user will only have a single "session". Every user will have his own "session". Please also see my answer from this post.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.