Chapters

Hide chapters

Saving Data on Android

Second Edition · Android 11 · Kotlin 1.5 · Android Studio 4.2

Using Firebase

Section 3: 11 chapters
Show chapters Hide chapters

20. Securing Data in Cloud Firestore
Written by Harun Wangereka

Heads up... You're reading this book for free, with parts of this chapter shown beyond this point as scrambled text.

In the previous chapters, you implemented all the features to the WhatsUp app except the most important one. You haven’t implemented any security rules, which means anyone has access to your data.

In this chapter, you’ll learn what security rules in Cloud Firestore exist and how to add them to your database to make your data safe.

What are Security Rules?

To set up your own security system you’d need to set up your own server that acts as a proxy between your mobile clients and the remote database. That server would need to process all the requests that are sent to the database and make sure that the client is accessing only the data that it is allowed to see.

Security rules handle security for you. You don’t need to set up your own security system.

How Security Rules Work

Security rules check the requests that are coming to the database and let through those that meet the criteria and reject the ones that don’t. So for example, if your database only allows writing data to the authenticated client and an unauthenticated user tries to write something to the database, then the database will reject that request.

Getting started

To see how the security rules look like open your Firestore Database in the console. Open the Rules tab at the top.

Cloud Firestore Security Rules.
Kcaoc Zozeqsune Cutuhekc Xiyiw.

rules_version = 2
match /databases/{database}/documents
match /{document=**} {
      ...
}
/databases/{database}/documents/posts/{postId}
match /databases/{database}/documents {
    match posts/{postId} {
      ...
    }
}
match /databases/{database}/documents {
    match posts/{postId} {
      match subcollection/{documentId} {
          ...
      }
    }
}

Adding Security Rules

Your WhatsUp app is still not safe. You’ll add security rules next to restrict the access to data. Open Firestore Database in the console and tap Rules. Replace the exisiting rule with:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}
Firebase Security Rules Editor.
Xeteqoqu Yuvuyucb Misic Ituyer.

Testing the Security Rules

Firestore has the Rules Playground which you can use to test your rules. You’ll be using the Rules Playground to test the rule you’ve created.

Security Rules Playground.
Betusird Nifoh Qmikwgeeys.

posts/posts/FNlxMWV6kZUgyr9vPFv8
Security Rules Failure.
Kavaxadq Yazir Goapoqu.

Security Rules test request is successful.
Sukupegc Puyem kahg qelaifl ap roploxfluk.

Monitoring Security Rules

Firebase also provides statistics for your set rules. You can access your rules data by tapping the Monitor rules tab which is next to the Edit rules tab.

The rules graph.
Fxe tipep blikz.

Key points

  • Security rules check the requests that are coming to the database. The rules let through those that meet the criteria and reject the ones that don’t.
  • Security rules consist of two things. One is specifying which documents you are securing. The second thing is what logic you’re using to secure them.
  • In the Rules tab in the Firebase Console, you can see your current security configuration.
  • match statement specifies the path to the document.
  • allow expression specifies when to allow the writing or reading of data.
  • Security rules in Cloud Firestore do not cascade.
  • Cloud Firestore provides the Rule Playground feature that you can use to test your rules.

Where to go from here?

In this chapter, you learned the basics of the Cloud Firestore’s Security rules. Your WhatsUp app now only allows authenticated users to access the data.

Have a technical question? Want to report a bug? You can ask questions and report bugs to the book authors in our official book forum here.
© 2024 Kodeco Inc.

You're reading for free, with parts of this chapter shown as scrambled text. Unlock this book, and our entire catalogue of books and videos, with a Kodeco Personal Plan.

Unlock now