how can i restrict access to firestore database to only requests coming from specific domain?

0

Issue

there is a security rule that can restrict access to only specific users here: restrict access to specific users

Frank’s answer there was really helpful and straight forward, but what if i am not using firestore authentication ?!

all i want to achieve is to grant access to requests coming only from my domain…just the domain, without authentication…so no one can use postman for example to send GET or POST requests to my firestore database.

is there a way i can say something like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.origin.matches(/<https://myCompany.com>/);
    }
  }
}

any help would be much appreciated.

Solution

There is no way to restrict to requests coming from a specific domain, and that would actually also be really easy to spoof. Something like Firebase App Check would help there, but that’s not yet available for Firestore (yet).

The common way to limit who can access the database is to:

  1. Require the user to sign in to Firebase Authentication
  2. Require that they verify their email address.
  3. Validate the email address of request.auth.token.email in the security rules.

Also see:

Answered By – Frank van Puffelen

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More