Closed spyr0s closed 3 years ago
We generally recommend everyone use authorization, but that said, it feels like a valid use-case. Will talk to the team. Thanks.
Thanks, A workaround for the time being would be to use anonymous auth
Hi @spyr0s , As a team we have always avoided to support unauthenticated requests, because generally it means that users using the library do not have rule policies protecting their projects whatsoever. But in this case you gave us a complete and understandable use case and we are sure you know what you are doing. Before implementing this, I'd like to make sure if a viable option for you would be to just have an automatic anonymous authentication if the plugin does an unauthorized request. Clients wouldn't notice the difference, and you won't have to call any additional function, but still it would be an additional layer of protection. Of course this would mean that you would need to enable anonymous authentication (which is just a matter of a click). Otherwise, if you don't like this idea, please let us know and just give us some time to add some notes around the plugin, since if we enable unauthorized requests we would like to make sure that unexperienced users know what they are doing, and experienced users just acknowledge this option. Thanks!!
Yes, anonymous sign in would be a perfect workaround. Just checked and works fine
On Mon, Apr 5, 2021, 16:59 Nicolò Santilio @.***> wrote:
Hi @spyr0s https://github.com/spyr0s , As a team we have always avoided to support unauthenticated requests, because generally it means that users using the library do not have rule policies protecting their projects whatsoever. But in this case you gave us a complete and understandable use case and we are sure you know what you are doing. Before implementing this, I'd like to make sure if a viable option for you would be to just have an automatic anonymous authentication if the plugin does an unauthorized request. Clients wouldn't notice the difference, and you won't have to call any additional function, but still it would be an additional layer of protection. Of course this would mean that you would need to enable anonymous authentication (which is just a matter of a click). Otherwise, if you don't like this idea, please let us know and just give us some time to add some notes around the plugin, since if we enable unauthorized requests we would like to make sure that unexperienced users know what they are doing, and experienced users just acknowledge this option. Thanks!!
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/GodotNuts/GodotFirebase/issues/171#issuecomment-813407380, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHY3DRFT5THGOVZ2K6VS4TTHG64TANCNFSM42MRSVWQ .
Is your feature request related to a problem? Please describe. Currently all requests to firestore documents require authorization else an "Unauthorized Firestore operation!" error is returned
if not auth: printerr("Unauthorized Firestore operation!") return null
Describe the solution you'd like Allow requests to be done without the auth check and no bearer if the user is not authorized
Additional context For example we can have collection of users scores where each user should be authorized in order to add a score, but we want guest to see the top Scores. This can be done using firestore rules , but currently we can't query the top scores without getting the Unauthorized error