Firebase Your Cloud Firestore database has insecure rules for basic Security Rules

Question

Recently I've received bunch of Firebase notifications regarding:

[Firebase] Your Cloud Firestore database has insecure rules

We've detected the following issue(s) with your security rules:any user can write to your entire database. Because your project does not have strong security rules, anyone can access your entire database. Attackers can steal, modify, or delete your data, and they can drive up your bill.`

Edit2: What I need, is to allow write for everyone without any need to sign in, but only the admin account should be able to read it from Firebase console.

Realtime Database rules:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

Cloud Firestore rules:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow write;
    }
  }
}

Edit: One of the Databases structure in JSON, others looks similar:

{
  "battles" : {
    "-KjiAFLI8oE_12345678" : {
      "full" : true,
      "player1" : {
        "movement" : {
          "down" : false,
          "left" : false,
          "right" : false,
          "up" : false
        },
        "position" : {
          "x" : 0,
          "y" : 0
        }
      },
      "player2" : {
        "movement" : {
          "down" : false,
          "left" : false,
          "right" : false,
          "up" : false
        },
        "position" : {
          "x" : 0,
          "y" : 0
        }
      }
    },
    "-KjiAMVvJydR12345678" : {
      "full" : true,
      "player1" : {
        "movement" : {
          "down" : false,
          "left" : false,
          "right" : false,
          "up" : false
        },
        "position" : {
          "x" : 0,
          "y" : 0
        }
      },
      "player2" : {
        "movement" : {
          "down" : false,
          "left" : false,
          "right" : false,
          "up" : false
        },
        "position" : {
          "x" : 0,
          "y" : 0
        }
      }
    }
  }
}

Edit3: In contrast to the Firebaser's answer to Firebase email saying my realtime database has insecure rules I don't want to/use Firebase Authentication/SSO.

Given these scenario do I have to/shall I modify them somehow?

Answer 1

I can think of two solutions without risking compromising security (to some extent):

1. You can use Authentication for users and only allow read or write access to authenticated users. (Which I understand is a hassle specially when coding a game.) like so:

match /databases/{database}/documents {
    match /{document=**} {
      allow write: if request.auth != null;
    }
  }
}

2. You can use some sort of 10-char sequence for example combined with the document names in your database (for example, "Users-xQnFiECweq") and then edit your security rules accordingly.

for example:

match /Users-xQnFiECweq {
    match /Courses-QrmGvMgF9C {
        match /{multiSegment=**}{
            allow write;
        }   
    }
}

the string values at the end of document or collection names kind of act as passwords that only you know and it makes it difficult for another person to guess the exact structure to your database.

I understand it's a bit of a strange approach but it's better than giving write access to just everyone.