How to Give Everyone Access to Firestore Database, But Only via App

Is there any way to give everyone access to firestore database, but only via app?

No, you can't limit access to your Cloud Firestore only to your application.

Since your application needs to know all the details that are needed to access the database, a malicious user can take those details and replicate them with code of their own.

To properly secure access to your database, you'll have to use Firebase's security rules. These are enforced on the server, so can't be by-passed by a malicious user. The logic here is that as long as the interactions with the database follow the rules you've set up, it doesn't really matter who wrote the code.

Also see:

  • How to enable access of firestore data to my nativescript app only?
  • Why is it okay to allow writes into Firebase from the client side?
  • Is it safe to use Firestore and its features via client only?

Firestore Rules to give data access to specific app

There is no way to limit access to "just this app" in Firebase security rules. Anyone can take the configuration data from your app and use it to call the same API as you app uses.

For this reason you will need to make sure that your security rules model the logic that you want. You'll typically replicate some of the data access logic between your client-side application code, and the server-side security rules. This means that you're modeling who can take certain actions, not what code/application they use to do that.

Also see:

  • How can I set Rules in Firebase so that only my app can write on my database firestore?
  • Is there any way to give everyone access to firestore database, but only via app?
  • How to enable access of firestore data to my nativescript app only?
  • and many more from these previous questions about the topic

Firestore add security rule to allow reads only from mobile app

It's not possible to use security rules to limit access to a certain app. If your rules allow read access without requiring a sign-in using Firebase Authentication, then anyone with an internet connection can perform reads.

Minimally, you could require anonymous authentication. But that still would not stop someone from creating an account and using that to read everything without going through the app.

How to enable access of firestore data to my nativescript app only?

Update (May 2021):

Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to Callable Cloud Functions to only those coming from iOS, Android and Web apps that are registered in your Firebase project.

You'll typically want to combine this with the user authentication based security that I described earlier/below, so that you have another shield against abusive users that do use your app.

It is still typically recommend to control access based on authenticating a user (allowing you to identify each individual user), and then ensuring they can only access data they're authorized for (in security rules).

If you don't want your users to have to sign in, you can use anonymous authentication. While this doesn't give you any information about the user, you can still identify them in security rules and thus limit their access based on what they've done.

By combining App Check with security rules, you have both broad protection and fine-grained control over what data everyone can access.

Allow Read access to one specific collection in Firebase Firestore

If you want to treat the "usernames" collection differently than everything else, call it out by name, and assign full read access to everyone:

    match /usernames/{id} {
      allow read: if true;
    }

I suggest taking some time to study the documentation on security rules to better understand how they work, an learn how to make rules on your own.

How to give access of cloud firestore to users in such a way that they are indirectly part of my application but not enrolled in my firebase console?

It is not possible, with Firebase security rules, to apply per-user control of data to people who are not signed in with Firebase Authentication. There is simply no mechanism available to security rules to determine who can do what, if their identity isn't verified by Auth. Browser cookies are not available. Anyone who is not signed in will effectively cause request.auth to equal null when they try to access documents from mobile clients.


Related Topics

Transferring Data Usb

How to Save the Image to Sd Card on Button Click Android

Firebase Realtime Database Connection Killed: Different Region

Adt Doesn't Create Default Hello World But Command Line Does

Convert Time Value to Format "Hh:Mm Am/Pm" Using Android

How to Stop Other Apps Playing Music from My Current Activity

Taking Screenshot Programmatically Doesnt Capture the Contents of Surfaceview

Activate an Application When a Power Button Is Clicked

Crashlytics Android Sdk - Custom Uncaughtexceptionhandler

Android Mapactivity:Couldn't Get Connection Factory Client

Android 6.0 Permission Error

How to Implement Image Gallery in Gridview in Android

Could Not Find Com.Android.Tools.Build:Gradle:4.0.1 ( or Any Version )

How to Handle Asynctask's in Actionbaractivity Fragments When Viewpager Is Used

Android Exporting to CSV and Sending as Email Attachment

Arrayadapter.Notifydatasetchanged() Is Not Working

Android - Add Textview to Layout When Button Is Pressed

Android Dialog Transparent


Leave a reply



Submit