1

When I try to read a document in my firebase, I want to be able to check, if the request is legit. For this reason, there is a token that is stored in the firebase. I only want to allow the access, if the token matches with the clients. So my security rules should check, if the token from the client is matching the one in the document. I can not do this with auth, as my App does not have a login and relies purely on the document id and token to access the data.

enter image description here

So my question is, how can I send a parameter with my flutter read request ? And how can I compare, if the token that is in the request matches the one in the document. I figured this would be roughly the way:

match /databases/{database}/documents {
  match /test/{document} {
    allow write, read: if request.resource.data.token== document.data.token;
  }
}
Improve this question

1 Answer 1

Reset to default
2

So my question is, how can I send a parameter with my flutter read request?

You can't pass your own parameters to the security rules. The only information available in the security rules (for a read request) is:

  • the token of the user that made the request.
  • the path of the data that the user is trying to read.
  • any query parameters they pass along.

So if you want to do this type of check, you'll have to encode the token in one of those three things. The simplest one is to use the token as the document ID. And then change your rules to:

match /databases/{database}/documents {
  match /test/{document} {
    allow get: if true;
  }
}

The user can now still get a document, but can no longer list documents (read is he same as get + list). That boils down to: if you know the ID of a document, you can read it. This is a quite common way to secure document access, and is known as a form of a shared secrete.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

This seems like a good solution, but what do I do, if I want to add a "Admin Token" for write access ?
You could use the logic that a user can write a document, if that document already exists and they know its ID. But your if request.resource.data.token== document.data.token; will never work for that anyway, as resource.resource.data.token and resource.data.token will be the same if the user doesn't specify a value for token. It's a common misunderstanding: request.resource is the resource as it exists after the request is allowed (if it is allowed). So your check merely ensures that the token field is not modified.
No that won't work as I want users to be able to hand out the different tokens for different people. So if you have the normal token, you can see the object and interact with it. If you have the admin Token, you can delete and manage it. If you have a readonly token, you can only read what is in the object. Not having to sign up is the core function of this feature.
Unfortunately what you want doesn't seem to be possible in what I described above. I provided some more links to the relevant docs so that you can check for yourself if you can find a way to fit it within how the product works.
do you have any idea how I could implement such a system ? Or does it just not work at all ? What is with triggers that let me execute JS Code ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.