Firebase Rules should use the accessToken and custom Firebase auth token to verify access. Commit rules to ./firestore.rules file
service cloud.firestore {
match /databases/{database}/documents {
// deny all by default
match /{document=**} {
allow read, write: if false;
}
// Only server/admin-sdk can write to shop data
// we don't want store owners/users to somehow update their plan and other info
match /shops/{shop} {
allow read: if get(/databases/$(database)/documents/shops/$(shop)/users/$(request.auth.token.userId)).data.access_token == request.auth.token.shopifyToken
}
// users can only read their own data. only server/admin-sdk can write
match /shops/{shop}/users/{user} {
allow read: if request.resource.data.access_token == request.auth.token.shopifyToken
}
}
}
gil--
commented
5 years ago
Firebase Rules should use the accessToken and custom Firebase auth token to verify access. Commit rules to
./firestore.rulesfileWIP. very important