My app sends data from a user entered form on the frontend to the database.
There is no login required.
Is there a set of rules I can use for this? I think this is quite a niche case so there isn't much about it.
Asked
Active
Viewed 153 times
0
-
Security rules depend on the use of Auth to determine who can read and write data. If you don't use that, then you have a publicly writable database (which you will be constantly reminded about as a security problem) without any real alternatives. You can use App Check to try to limit use to just your app, but that is not a hard guarantee. – Doug Stevenson Sep 02 '22 at 15:58
-
@DougStevenson is what I'm doing just completely impossible? Is there some sort of way that I could protect all calls apart from the function called when the user submits the form? Surely in an app that has auth, etc., there are protected functions/routes? – Henry Hudson Sep 02 '22 at 19:31
-
1No, there does not have to be unprotected anything. Everything can require an end user auth. If you are serious about security aim for that. Else, accept that your backend is vulnerable to general abuse. – Doug Stevenson Sep 02 '22 at 19:39
-
@DougStevenson Okay, do you know of any firebase firestore full stack apps with vanilla js examples? I'm not sure what the structure of the app needs to be. – Henry Hudson Sep 02 '22 at 19:48
-
1Always keep in mind that you can give each user an identity without asking them for any credentials with Firebase's **anonymous** authentication provider: https://firebase.google.com/docs/auth/web/anonymous-auth. That's my usual starting point for providing secure data access before I implement the more common sign-in with credentials. – Frank van Puffelen Sep 02 '22 at 22:48