问题
Right now, in my Firestore rules only registered users have read / write access to my project. However, I also want to verify in my registration process if an E-Mail already exists, which means also anonymous user have access to my "users" data.
I am unsure how this is compliant from a security perspective. Should I create something like a "emails" collection and duplicate all E-Mail addresses here and allow anonymous users to query this?
回答1:
Yup, that is indeed the typical approach. Duplicate the data that you want anonymously accessible into a separate collection, and grant broader access restrictions there.
In the rules for that collection of email addresses you will typically use granular rules that allow reading each specific document, but to disallow listing all documents. Something like:
match /emails/{email} {
// Applies to single document read requests
allow get: if <condition>;
// Applies to queries and collection read requests
allow list: if false;
}
This means that once the user has typed a specific email address, you can check if a document exists for that email address. But they can't just get all documents from the collection to scrape your user base.
来源:https://stackoverflow.com/questions/59766574/allow-unregistered-users-to-query-firestore-to-check-if-an-e-mail-already-exists