Hello everyone,
If you have been trying to learn how to use AngularFire, you are probably finding its ability to trigger database modification operations from the browser a bit surprising, to say the least.
How can that even work from a security perspective? The key ingredient for CRUD operations to still be safe when done from a browser are Firestore Security Rules.
Click Here to Watch: Introduction to Firestore Security Rules
What Are Firestore Security Rules?
Firestore Security Rules are a set of declarative rules written in a JSON/Javascript-like format, that you deploy to your Firestore server.
You don't need any application code written, just a small file with a set of rules. Whenever a data read or modification request gets sent from a browser to a Firestore database, the Firestore server is going to allow the request to go through (or not) by running it through this set of rules.
We can write rules based on the content of the request, which includes the user authentication information including it's roles, and we can also write rules based on the current content of the database.
This means that we can write rules like:
- "allow the creation or modification of a new course document only if the user is correctly authenticated and is an administrator, otherwise deny the request."
- or "users are required to authenticate to even be able to read course documents"
- or "allow the users to delete a course document, but only if it's in status draft"
Please Hit Reply and let me know: what would you like to learn about Firestore Security Rules? Any gotchas that you run into?
You can learn all about Firestore Security Rules in this week's 36 new minutes of the ongoing Firebase & AngularFire In Depth course, scroll below to see the titles of this week's lessons.
I want to thank you for reading and wish you an awesome weekend!
Kind Regards,
Vasco
Angular University