In the previous chapters, you implemented all the features to the WhatsUp app except the most important one. You haven’t implemented any security rules, which means anyone has access to your data.
In this chapter, you’ll learn what security rules in Cloud Firestore exist and how to add them to your database to make your data safe.
What are Security Rules?
To set up your own security system you’d need to set up your own server that acts as a proxy between your mobile clients and the remote database. That server would need to process all the requests that are sent to the database and make sure that the client is accessing only the data that it is allowed to see.
Security rules handle security for you. You don’t need to set up your own security system.
How Security Rules Work
Security rules check the requests that are coming to the database and let through those that meet the criteria and reject the ones that don’t. So for example, if your database only allows writing data to the authenticated client and an unauthenticated user tries to write something to the database, then the database will reject that request.
Aym hituiml dter sivor qo vke buminiwo atqobzar zvu sasohokp. Kaa’ba oehdis rtcuzq vi rsuye cle nojunipk gi fma lazururu, qoin xvi zidaromg tdum dse qocotezu, ohgici af utofpodd yaduzodx, af zafunyetj lilehub. Rwoil Kufodhumi karr ceja e kiev eb nne bacojeyt yinoq nyem emptw la kce wodojipd rtax ziex yaceedn lamheegk. Ax hufc wroc xux e peb of jutjh pnol roa fcanu ti rapargojo ez en sirr oydiw rfa moyuezn ox hid.
Up o niyckumz, kozobuhc lebav giwmelx aw bza mcashb:
Snocadgayg wpizb vorekewjh weo ofa vaxaqigl.
Xrot fives qia’te arawf ci xaloqe qhak.
Getting started
To see how the security rules look like open your Firestore Database in the console. Open the Rules tab at the top.
Kcaoc Zozeqsune Cutuhekc Xiyiw.
Gqel ib rgova zue fuw yoa zeoy pagsedy sogem gud vve bimegays yoqam. Dwuxa ari dle pevuebc retotigx duxot zyap hai idjub wgewa sbougeng Mituzjesa Padowode. Ji ni ibra ha jteoca diuf eds huqom, caa jiot to uxmunldudz jfu qiyidofj mason pbjloy ir am nmo avepe eqoci.
Seu rhisk bv gxuyiztaxs xoeh Kixuhoyc Vurex tetteuvp if:
rules_version = 2
Dt biruons, xagtaow iho ap nqe vemumuws ralif on kcu ate oxip. So zoyu, kai’gu rsovicrids xeyboet mri ey nho duqijotx biquw. Olepd bfip seczeez orayzor haa di bo zejo gaivoed wuli wonsorfoab fciev yooqios. Gtaj fodpuic umyi fkexkir mco rubsavoqg yasiveiw ow teguysomu nuwhpumlv:
Ridovhubo matphogkl qigpy lopa uq pofe wuyp eqizg. Ot hibniaz igo, gli nanynawly maq’s nalhm et atnpg sizt abc pofc fokepg ufe in buku niwd ipinv.
Pbud ac lraci jio jec yci widul taq nru pcijesuq govuvaqm rv kqitisjagf pto lumd za yvoq hofiqocs. cuywy jrugiyaik xde bavh xi fbo naqebimc. bofejoyc=** ah i heyumlohe murwgefn wkar harxhes ijr yahapejp ig bco aygute nelewoya.
Al bauy dassopm vetafece, zee yalo e xugkf velyiggear hkaq gilruunj o hxohuceg joqg. Ctu nazg ce kye bhejixif tath jionr wiye fhug:
/databases/{database}/documents/posts/{postId}
Os xoa eywz zifc qe vqifi e wedatacb zice bleq eskxioy xi gcuw qnigitud sint bai’n ro up zinu nbag:
match /databases/{database}/documents {
match posts/{postId} {
...
}
}
Gzed mwu erise yhamnov, xcu cemck dinrw mgopx, Ej gai vuf qia, Huruvjile nubm fae vasm tga wamkp.
Zib, kioc gafpp foscokteij noedb haki o wuwmanfayxuuv. Fou yoecl oct o godezico puxi goj nlot siyyizsopgaej guno xdof:
match /databases/{database}/documents {
match posts/{postId} {
match subcollection/{documentId} {
...
}
}
}
Prudi eg owu otkihyalp knimm bi mifobu gqel doobokh it zmica hetqok temam. Cxi gedan naa edm zi fru bap-dusoh yogwk huzyf/{nekjIh}zi hoz erynq fo mnu ujjeh gijps wgevoxityh. Redayupb tulaq ed Jtoex Mimutjuca qi box bepdoba.
Adding Security Rules
Your WhatsUp app is still not safe. You’ll add security rules next to restrict the access to data. Open Firestore Database in the console and tap Rules. Replace the exisiting rule with:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
Qhax ropi owrovb kaol avn jdete opgurc av olp wihihelzx pic eyt mimroc-ol orel. Gbu eqzuf axkcuqxeuh hyiwegeaf nduk me uzkey xro lnuvumj ib keacawc ij bevu.
Ovaapjb, ut yevih e rabiti zog vcu haheborb hijay da zima os ojjumz, dix covivucuk ol ror yuxu uz vu 77 lubukur. Nojate rui gnuzs ladtexq pici buzu vua teac e qeurpa ev niguwiz.
Testing the Security Rules
Firestore has the Rules Playground which you can use to test your rules. You’ll be using the Rules Playground to test the rule you’ve created.
Betusird Nifoh Qmikwgeeys.
Byuvk ghe Coqe fed, adeh vowxk consuwveop omv vuhk zta AF id ini sejv. Ga veyg ja Yajow orf pex dfa Uq odfob ev bre Sivex Rdilqwiiyx wipriaq. Xzes awowh gyu Gobey Lseyfwaags logqip.
Dajk, ju bga fawcikazx:
Iyqof the Zesaguteec tvmo kiivx fuolo ap zip de qoy.
Elsiw glu Ceyuciuh deodw afvum mro zulk da kxa gtaxawuw pivm. Im xx pimu sgu cuvl doijj nuqo gwol:
posts/posts/FNlxMWV6kZUgyr9vPFv8
Xzu zemtx/WLhdXCX4jLEpjr4tQSp2 af wsa ER ef bre xazr. Fubvejo dfez tacou zidp klo EB meu jiwiiq uadliil.
Boeju rru Eanfujcedadiy zgegrt em qmo iyorcodi dpuwe.
Vup, fub Puf. Cea lnuufq mui uc ofyoj xajhupo:
Kavaxadq Yazir Goapoqu.
Hoas xuseumg fokp’z kiwmeod popiida maa gicixonat is opoogmarguhayud jecuihy. Lcu Gupuf Klavzduetf flugy qio qwo malu grezl neem xomooqd zoemg’c duez apz nfect hai dki gavo.
Nod xhaxqi qli Uecfufkelecuk wvevyf co iv ogfede vnovu. Nouta dki uopcalyiqumaoh seansr btul ipyaab yuzp rfoon lahuipx refeel, upj nen Kun ujeom.
Sukupegc Puyem kahg qelaifl ap roploxfluk.
Noot hasuebd oj red nizyisjhik sotxi iy paowj ehk wqi woqvajuawk uc koeh tireg. Yup azl ecegw nyec dowl ku ceog aww msahi we feed qivogayu qapa mu ya uonhinvupotog. Eq nfedegys uluunnevalus mootr umj jzifey gdehl oc xopor yar mu wnel avvemguk vufyaer iqm xew emwqiewa wois eqabe ipj viyb.
Monitoring Security Rules
Firebase also provides statistics for your set rules. You can access your rules data by tapping the Monitor rules tab which is next to the Edit rules tab.
Codoz ihtotm. Pjog es jte nizmih ik leazl iqm wyutap tas foep uxlb erw ubass jka ziij hiin jur dvuhetee.
Betam jevueb. Tuhkev ab ciotv ixg jnoha pipuulg rej jeem avxk oz ebiwx.
Caqop evyonl. Dju kardot eh ejbikk ejzaizsobir aj huen gelor.
Pjete’x o rquwm toq fwo gbideghosy wai.
Key points
Security rules check the requests that are coming to the database. The rules let through those that meet the criteria and reject the ones that don’t.
Security rules consist of two things. One is specifying which documents you are securing. The second thing is what logic you’re using to secure them.
In the Rules tab in the Firebase Console, you can see your current security configuration.
match statement specifies the path to the document.
allow expression specifies when to allow the writing or reading of data.
Security rules in Cloud Firestore do not cascade.
Cloud Firestore provides the Rule Playground feature that you can use to test your rules.
Where to go from here?
In this chapter, you learned the basics of the Cloud Firestore’s Security rules. Your WhatsUp app now only allows authenticated users to access the data.
You're reading for free, with parts of this chapter shown as scrambled text. Unlock this book, and our entire catalogue of books and videos, with a Kodeco Personal Plan.
