I have been following a tutorial showing how to build a custom Rest API in Javascript which is then deployed to Firebase Functions which can then be used to communicate with a Firestore Database.
Everything appears to be working fine but one thing is bothering me.
One of my end points is url-to-api/read which fetches all the records in the database. How can I prevent anyone from simply adding that url into a browser and reading all the data.
I have tried various Firestore rules but none seem to make any difference, adding /read on to the end of the API URL still shows all the data in the browser.
Cloud Functions access Firebase using the Admin SDK, which means they bypass the security rules and have unrestricted access to the database.
It is up to you to protect what users can do in this case. For example, you can require that they pass their ID token along, and use that to determine their authorization as shown in these examples of implementing an authorized HTTP endpoint and implementing an authorized JSON API.