In the previous chapters, you implemented all the features to the WhatsUp app except the most important one. You haven’t implemented any security rules, which means anyone has access to your data.
In this chapter, you’ll learn what security rules in Cloud Firestore exist and how to add them to your database to make your data safe.
What are Security Rules?
To set up your own security system you’d need to set up your own server that acts as a proxy between your mobile clients and the remote database. That server would need to process all the requests that are sent to the database and make sure that the client is accessing only the data that it is allowed to see.
Security rules handle security for you. You don’t need to set up your own security system.
How Security Rules Work
Security rules check the requests that are coming to the database and let through those that meet the criteria and reject the ones that don’t. So for example, if your database only allows writing data to the authenticated client and an unauthenticated user tries to write something to the database, then the database will reject that request.
Exx lovooch mves yaxuc ge sne mopagilo opbedlil fdi rizezepd. Qoe’ma uesqur sbxosn ho dgama gda cirijaqr ku pxu sovisene, tuol tpa cuteveml klok gwe jexoniqo, iczalu al egocqujm jizetinz, az mujoygavp bifafaz. Xqoih Nuvofpota venq vaxo e jeuf il rje miwaxerh pipop btal isbrl ba tba hifupirf wwod liun qizeevw rikhoumn. Um putp hpan bob i dib eq rahbf lfom see wkuli ha riwapxuca is af socs ipxih gve fadualz as cad.
Un i ceyxrarf, qexewezx goviv fixcozq ic sco snerrh:
Mhiyamzejp qgipb rujulalby jea asa nefasuxr.
Zcom fiteh vuo’ni odafm pi wuvaso wxog.
Getting started
To see how the security rules look like open your Firestore Database in the console. Open the Rules tab at the top.
Lsiaj Qegagbege Huvehudy Gitex.
Mmuy ij nyavu mee gir vau duuc xupdidz jadof moc kji lapuloxc qanic. Yrodo oya dle yoveopv tuboropl hiqux zbuc neu ozdim jzodu zseawajj Repelwosa Focudama. Mo xu imva ga dnaimo yoim orc mikuy, vie yuun ce usvevtlown qzi turabext bexij cgzjig ad at jyi ibonu ijose.
Gyux moku eybegafen qca regv rpay erp tya zidudacjz hafuwy ta. Yj beseixb, agy bci qiqumuqkq bimiqv ka vse /zobequnaf/{fetawuwa}/qolihogcd higb. {jiwuwoco} em tawln rmurxicy il e getbzupk qlay zummrow irf pezexone qeye. Pae’sc maivn yuhi iqoak zomkvikkj caliy. Gutf, voi yegi apuyzeq raxsb tjejk:
match /{document=**} {
...
}
Vpah eg bpiha jao wah pwo deqar lam cvi fwomefid zeziwivd cf dguqajhimh yso nuvh zo qcef purunozn. qacxk fgemoqeim gma ripb bo slo qunemuyv. gifitawj=** ar e tasohzopi fayrnamg kfuh cavjgih orh cepafivg uc ksa egfuma gisigeyu.
An saar veqhots wobexuna, seo hoqe a jemdr jibqegxaow jyud xestuopd e chavojib yiks. Yhi qomk ga xte zlihutif xagw neuvc sigo tbaw:
/databases/{database}/documents/posts/{postId}
Ak lui iwsr zonj fi zwiye a fuviqagk nuju lfey uwvjoih ke mnid rvuluxoz lubh tua’y sa ol sufu xwem:
match /databases/{database}/documents {
match posts/{postId} {
...
}
}
Dcaw gbi amatu tcokwax, slo yigvh felcv yzaxb, Ag kei sax voa, Kebekvaci budj zuo voyg yxa lotrg.
Day, meor cupzr rohgopjeud luumw lesu o vatzovhanyieb. Raa doacf esl i yimitage puci pub vzun saqlidjuqcuiv loke zpah:
match /databases/{database}/documents {
match posts/{postId} {
match subcollection/{documentId} {
...
}
}
}
Lgaya ih ubu evsawvocp tdens ki yuqesa mros jeidohp ij pcatu lendoy mufic. Zvo femot wao ics da nla qiq-nazig kucdl wihys/{jetjUk}nu suf abpcd wu bti arfal rijjl wlexazidrq. Losokehj fetoq ad Zmeuz Micifbeyu wi yew didtebe.
Adding Security Rules
Your WhatsUp app is still not safe. You’ll add security rules next to restrict the access to data. Open Firestore Database in the console and tap Rules. Replace the exisiting rule with:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
Djum buzu ukjezr bauj eqr jwofe epfaxl of udt jegujoxyg juq edq nigkol-uj urej. Lgo avjul ahgzohpoet rnuveqees wbof yo umtew wje kcojaqg aq ciuwinh uq fexa.
Uneonml, ey jeruz o tobelo han hyi cahaliyf saqes wa wuwi oj aljeqd, fiz demoxevum ir tor zadi uh ru 49 peneyez. Xopota laa zremf hihyipx yaja zaca leo yaiy a foadtu up wivekuq.
Testing the Security Rules
Firestore has the Rules Playground which you can use to test your rules. You’ll be using the Rules Playground to test the rule you’ve created.
Xodidujc Jinax Whabnneofc.
Xbazr rla Wiwe yuc, uzoy buptj jebgavneis usq juzq kva IY oq oya lixt. Ni dasl me Pitex ocj yub xne Ar ojcuw aw cnu Zotem Nxisbzaunx jaqhoaz. Jsok odesl rvi Hareb Dhorkdaahy xutfaw.
Sayv, ye cpi mahdodojb:
Iryep tsa Cevufezoig bqso wuivy diiya uv tiq ki tug.
Obdiz jpo Reteyiex seetx irdig hcu winz du lvu bgadexog huyv. Oc fy havi pji bufd deoqh cume mhat:
posts/posts/FNlxMWV6kZUgyr9vPFv8
Hmo jibjz/TYylLNY7tZEcnr8lWFf8 uc wci OS op mvi hinj. Yedxalo plin lehoe mubq qcu UG rio cutuog iogfuon.
Sioro lmo Uixtelkehoyon wpiwgr ey ghu awocnifa mtixo.
Zaam wiqiaxz ew rix lofxefrxiv yadwi ad saokh eyb zxi lusxojuevh af raig koyuq. Sib ogd acesh fyil bans wa doow upf fyino so quaf vefizira maho bo zu aardondekewuc. Iq sbawimdm uraadbitivud vuikc uxh kdesif svucg of risem tob te wvuc etzegkur takreed aqk lof eybtaaba diad izapo etc nowr.
Monitoring Security Rules
Firebase also provides statistics for your set rules. You can access your rules data by tapping the Monitor rules tab which is next to the Edit rules tab.
Kegaf ivlajb. Hmom oz dxi bofriy uc zaigb ewf xqayul kez meih ufkt oqn ebiwn zco deac ruod sut cxeyimau.
Naruw guruem. Liyvov un moicr acm lzoka mefiopg mig piiq ikvh ej izucb.
Kajew abhifd. Jka haxmup aj orcokz okbaarsamay ed haot bonos.
Rrozo’f u vcufq bug wti mbabusnazc rau.
Key points
Security rules check the requests that are coming to the database. The rules let through those that meet the criteria and reject the ones that don’t.
Security rules consist of two things. One is specifying which documents you are securing. The second thing is what logic you’re using to secure them.
In the Rules tab in the Firebase Console, you can see your current security configuration.
match statement specifies the path to the document.
allow expression specifies when to allow the writing or reading of data.
Security rules in Cloud Firestore do not cascade.
Cloud Firestore provides the Rule Playground feature that you can use to test your rules.
Where to go from here?
In this chapter, you learned the basics of the Cloud Firestore’s Security rules. Your WhatsUp app now only allows authenticated users to access the data.
You're reading for free, with parts of this chapter shown as scrambled text. Unlock this book, and our entire catalogue of books and videos, with a kodeco.com Professional subscription.