Email: [Firebase] Client access to your Cloud Firestore database expiring in X day(s)

Question

I got an email that indicates I was developing in \"test mode\", but that it left my database completely open to the internet. The default rules I initially accepted look l

Answer 1

Whenever you start a new project on firebase (or) setup a firestore database, firebase by default adds a set of rules for your database, which looks something like this.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // This rule allows anyone on the internet to view, edit, and delete
    // all data in your Firestore database. It is useful for getting
    // started, but it is configured to expire after 30 days because it
    // leaves your app open to attackers. At that time, all client
    // requests to your Firestore database will be denied.
    //
    // Make sure to write security rules for your app before that time, or else
    // your app will lose access to your Firestore database
    match /{document=**} {
      allow read, write: if request.time < timestamp.date(XXXX, XX, XX);
    }
  }
}

The "timestamp.date" dates to 1 month from when you start the project. More or less like a 30day free trial. Upon bypassing this date, the database denies all the client requests. So, the email is basically a reminder for you to change the security rules. One simple way is to allow read/write requests only to authenticated users.

// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

Note that, this is one of the ways to define the rules and need not exactly as shown, you could further make modifications as per your requirements. For more information, you can have a look at this documentation