It’s awesome that you have designed an application or a web app that uses Cloud Firestore as your database platform. It works well until one day, your entire database is gone or being compromised. It’s a disaster and nobody wants it to happen. That’s why we needs security rules!

How to setting up rules for Cloud Firestore?

You log in to your Firebase console > Firestore > Rules, then you see your current security rules.

The security also has version control, so you can go back to the previous rules anytime you want. The rule above will allow anyone to read and write to your Cloud Firestore.

2. How can I set up security rules

service cloud.firestore {

match /databases/{database}/documents {

// All rules goes here }

}

You can set up the rule for entire database or for each collections itself

// The {document=**} will match any document in the entire database.

match /{document=**} {

allow read, write: if <condition>;

}

3. Setting up security rules for each collections

match /customers/{customer} {

allow read: if true;

allow write: if request.auth != null;

}

The rule above will allow the public to read anything in customers collection, however, they need to log in in order to write (create, update and delete) data.

Instead of giving the condition directly inside the match, you can use a function. By taking advantage of function, you can reuse the condition in other rules without changing the condition every single time.

match /customers/{customer} {

allow read: if true;

allow write: if isSignedIn();

} // Functions //

function isSignedIn(){

return request.auth != null;

}

4. Testing the security rules

There is a way for you to test the security rules without publishing the rule. By doing this, you won’t mess up with your current deployment. Your customer will happy about this.

We will use the embedded simulator to test all the security rules.

As you can see, I am testing the read rule on customers collection. Anyone can assess the customers collection without signing in.

However, you cannot edit the database without authentication — which is good ;)

Now, we will try if we can write after signing in to Firebase.

As you can see, after authenticating, the write rule is pass. In this test, I am trying to login by using email and password. There are more methods for you to test.

By doing this, you will reduce the mistakes that you may make when deploying the security rules.

5. Other useful tricks

I may not be a trick, it’s just some codes that you can use to deploy to your security rules

// Check if document is exists

function documentIdExists() {

return exists(/databases/$(database)/documents/users/$(request.auth.uid));

} // Check if userId exists in the document

function userExistsInDocument() {

return resource.data.userId == request.auth.uid;

} // Check if email exists in the document

function userExistsInDocument() {

return resource.data.email == request.auth.token.email;

}

If you cannot find what are you looking for, please leave a comment or read the Cloud Firestore Security Docs.