Secret URL authentication with Firebase

Question

I have a client-side web app using Firestore and Cloud Functions.

I would like to set up rules such that if a user has a secret URL for a document that user is able to write to it, without need any other kind of login or authentication. Something like (pseudo-code, I just made up request.params.secret_token):

service cloud.firestore {
  match /databases/{database}/documents {
    match /cities/{city} {
      allow read, write: if resource.data.secret_token == request.params.secret_token;
    }
  }
}

I'm confused by the various authentication options available and can't quite reason through the best way forward.

Potential options that feel close:

• Anonymous authentication might be needed, that could get me an auth token. As far as I can tell I can't get very far without one of these.
• Use a custom claim, but it says you can only set them securely on the server side.
• Use a custom token, but this seems more applicable when I have a pre-existing sign-in server component.

Answer 1

if a user has a secret URL for a document that user is able to write to it, without need any other kind of login or authentication.

Simply set your database rules to allow anyone to read and/or write the data at the path specified in the JavaScript on/in that particular webpage. Maybe simply put the database read or write in a <script> tag after your firebase <script> tag right in that page.

However, like you said, anyone that visits that page/URL is gonna be able to read and/or write whatever data is in that particular node, or field, or document.

Edit the firestore.rules file like so to enable read write for anyone/all. See Documentation.

service cloud.firestore {
  match /databases/{database}/documents {
    match /<some_path>/ {
      allow read, write;
    }
  }
}