1

I am using firebase authentication on my reactJS application. When a user signs up, an entry is added into firestore to store some account details at user/(UID).

I need to create firestore rules that willL

  1. Prevent unauthenticated users from reading and writing to firestore
  2. Only allow users to read their own data in firestore Users/(users UID)
  3. Allow newly registered users to write to firestore so data can be added for their account.

I have tried the following:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
        match /users/{userId}/{document=**} {
        allow read, write: if request.auth != null && request.auth.uid == userId;
      }
      allow read;
      allow write: if request.auth != null;
    }
  }
}

But i am receiving an email each day from Firebase saying my rules are insecure and anyone can write to my database. How can i fix this?

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
admin admin
  • 75
  • 5

1 Answers1

1

You have a recursive wildcard (/{document=**}) with the rule allow write: if request.auth != null; which allows any authenticated user to write in any collection/document of the database. Based on the given constraint, try refactoring your rules to:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId}/{sub=**} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
  }
}
Dharmaraj
  • 47,845
  • 8
  • 52
  • 84