im currently setting up a dialogflow bot (for faq and contact) and the fulfillment / data storage is being done in firebase firestore using google cloud functions (nodejs).
Obviously I would like to have security rules, limiting the access to the database to only dialogflow. Could anyone point me in the right direction how I would go about doing this?
The examples I found, were all check regarding something stored in the database, which wouldn't work in my case..?
Security rules are only relevant when you have a mobile client (Android, iOS, web) directly accessing some data in Firestore, Cloud Storage, or Realtime Database. It also applies to unauthenticated access from the REST API. Any other access from a backend, including code you might write for a dialogflow fulfillment hook, isn't subject to security rules. That is to say, accessing these resources from a backend through the admin SDK ignores security rules altogether.
If you only intend to access these products from a backend, just make your your security rules disallow public access from mobile clients.
I have added option in security rules to check if request is from user which I use to authenticate requests to Realtime DB in cloud functions, like this:
{
"rules": {
".read": "auth != null && auth.token.email.matches(/^firebase-adminsdk-[xxx]@[project-name].iam.gserviceaccount.com$/)",
".write": "auth != null && auth.token.email.matches(/^firebase-adminsdk-[xxx]@[project-name].iam.gserviceaccount.com$/)"
}
}
You can use rules tester to verify that authenticated requests from other users will be rejected.
