0

I want to create a simple app where I can invite other users to view non-public content without forcing them to make an account. I'm trying to structure my DB/write Firestore security rules to do this.

So far, I have a document with:

  • content (only invited users should be able to access this)
  • passcode (six-letter string unique to a document)
  • array of allowed users (email addresses)

Ideally when an invited user inputs the code and their email address, it'll identify and read the correct document (if the passcode matches and their email address is in the array). Is this possible?

Improve this question
1

1 Answer 1

Reset to default
0

No, this is not possible. You can't make an application "pass" data to a security rule, as that is not really secure at all (anyone would actually be able to provide the value if they just know what it is). Firebase security rules would never allow this sort of security scheme.

The only truly secure way of limiting access to do a document on a per-user basis is to have the user sign in with a UID that can't be faked for the purpose of evaluating a rule.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for the insight! Just to clarify: when you check in for a flight for example, most sites let you enter your last name and a confirmation number to access your trip. This isn't possible with a Firebase/Firestore app? Is that simply because the Firebase auth API doesn't let you sign in with this combo?
Those sites probably have a complex custom-coded backend, and do not allow the frontend to query the database directly. What you are seeing there is not comparable to the way Firestore works when you query directly.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.