Cloud Firestore - Rules

[Zau Maiano]

hey, guys!

help me, please, 

how restrict Cloud Firestore for specific apps based on fingerprint (sha-1) using the rules?

[Sam Stern]

Hi Zau,

Right now there is no way to do this, although we are working on adding a feature like that. In the meantime the best thing to do is apply API key restrictions:
https://firebase.google.com/docs/projects/api-keys#apply-restrictions

The API key is required to access Firebase Auth. So if your API key has a specific SHA1 restriction and your Firestore rules require "request.auth != null" (at a minimum) you'll essentially have SHA-1 protection in your rules.

- Sam

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/3b521f6c-7571-44f5-9632-50879826d2abn%40googlegroups.com.

[Zau Maiano]

Hey, Sam. thank you! 

in my case, I have authentication system in my app, but I don't use Firebase Auth.

I want a form to validate request of firebase cloud firestore using Fingerprint, but in this I must wait.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHafJBoJm30qQONE3vbOqR-nOPHgi6kD3xkOx9DCatLAbtc3gw%40mail.gmail.com.

[Sam Stern]

Hi Zau,

You could consider using Firebase Anonymous Auth which would be invisible to your users and not affect your existing authentication system. The only advantage of using it in your case would be that it would force your app to make an API-key-protected request to Firebase Auth and then you'd have "request.auth != null" evaluate to true in your rules.

It's not bulletproof security but it's far better than nothing!

- Sam

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAO%2BBHSJCP%3D8%3Ds5zCXFGVLp77qE%2BQf5ZO%2BGMfMe3Hedd6tayk4Q%40mail.gmail.com.