Home Android & Kotlin Books Saving Data on Android

20
Securing Data in Cloud Firestore Written by Harun Wangereka

Heads up... You're reading this book for free, with parts of this chapter shown beyond this point as scrambled text.

You can unlock the rest of this book, and our entire catalogue of books and videos, with a raywenderlich.com Professional subscription.

In the previous chapters, you implemented all the features to the WhatsUp app except the most important one. You haven’t implemented any security rules, which means anyone has access to your data.

In this chapter, you’ll learn what security rules in Cloud Firestore exist and how to add them to your database to make your data safe.

What are Security Rules?

To set up your own security system you’d need to set up your own server that acts as a proxy between your mobile clients and the remote database. That server would need to process all the requests that are sent to the database and make sure that the client is accessing only the data that it is allowed to see.

Security rules handle security for you. You don’t need to set up your own security system.

How Security Rules Work

Security rules check the requests that are coming to the database and let through those that meet the criteria and reject the ones that don’t. So for example, if your database only allows writing data to the authenticated client and an unauthenticated user tries to write something to the database, then the database will reject that request.

Getting started

To see how the security rules look like open your Firestore Database in the console. Open the Rules tab at the top.

Cloud Firestore Security Rules.
Lsiaj Qegagbege Huvehudy Gitex.

rules_version = 2
match /databases/{database}/documents
match /{document=**} {
      ...
}
/databases/{database}/documents/posts/{postId}
match /databases/{database}/documents {
    match posts/{postId} {
      ...
    }
}
match /databases/{database}/documents {
    match posts/{postId} {
      match subcollection/{documentId} {
          ...
      }
    }
}

Adding Security Rules

Your WhatsUp app is still not safe. You’ll add security rules next to restrict the access to data. Open Firestore Database in the console and tap Rules. Replace the exisiting rule with:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}
Firebase Security Rules Editor.
Zehojepu Rejoradm Tesag Ehohag.

Testing the Security Rules

Firestore has the Rules Playground which you can use to test your rules. You’ll be using the Rules Playground to test the rule you’ve created.

Security Rules Playground.
Xodidujc Jinax Whabnneofc.

posts/posts/FNlxMWV6kZUgyr9vPFv8
Security Rules Failure.
Mubuvudf Yovaj Wooqedu.

Security Rules test request is successful.
Pigaforl Jubuc wocj netiosp in bibgavggul.

Monitoring Security Rules

Firebase also provides statistics for your set rules. You can access your rules data by tapping the Monitor rules tab which is next to the Edit rules tab.

The rules graph.
Slo lawox zmoct.

Key points

  • Security rules check the requests that are coming to the database. The rules let through those that meet the criteria and reject the ones that don’t.
  • Security rules consist of two things. One is specifying which documents you are securing. The second thing is what logic you’re using to secure them.
  • In the Rules tab in the Firebase Console, you can see your current security configuration.
  • match statement specifies the path to the document.
  • allow expression specifies when to allow the writing or reading of data.
  • Security rules in Cloud Firestore do not cascade.
  • Cloud Firestore provides the Rule Playground feature that you can use to test your rules.

Where to go from here?

In this chapter, you learned the basics of the Cloud Firestore’s Security rules. Your WhatsUp app now only allows authenticated users to access the data.

Have a technical question? Want to report a bug? You can ask questions and report bugs to the book authors in our official book forum here.

Have feedback to share about the online reading experience? If you have feedback about the UI, UX, highlighting, or other features of our online readers, you can send them to the design team with the form below:

© 2021 Razeware LLC

You're reading for free, with parts of this chapter shown as scrambled text. Unlock this book, and our entire catalogue of books and videos, with a raywenderlich.com Professional subscription.

Unlock Now

To highlight or take notes, you’ll need to own this book in a subscription or purchased by itself.