Is Anonymous Authentication Enough?

Question

I\'m developing an app that doesn\'t require logging in because there isn\'t any user-specific data. My original plan was to just make my entire database be read only. However,

Answer 1

Generally, No.

Solely using anonymous authentication adds a hurdle to accessing your database and will protect it from simple read queries as if your database was fully open, but you should combine that with security rules that limit the queries that can be performed.

Assuming we are starting with these barebone rules:

// Allow read access on all documents to any user signed in to the application,
// and write access to only administrators
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if request.auth.uid != null;
      allow write: if request.auth.token.isAdmin === true;
    }
  }
}

To tighten up your rules, you should first remove the wildcard entry and replace them with fixed document paths.

// Allow read access on all documents at /posts/{postId} to any user signed in to the application,
// and write access to only administrators
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /posts/{postId} {
      allow read: if request.auth.uid != null;
      allow write: if request.auth.token.isAdmin === true;
    }
  }
}

or even

// Allow read access on all documents at /posts/{postId} to any user signed in to the application,
// and write access to only administrators
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /posts/{postId} {
      allow read: if request.auth.uid != null;
      allow write: if request.auth.token.isAdmin === true;

      // allow same permissions on subcollections of /posts/{postId}
      match /{document=**} {
        allow read: if request.auth.uid != null;
        allow write: if request.auth.token.isAdmin === true;
      }
    }
  }
}

Next you should consider adding rules that limit the size of queries performed against your database using the granular security rule list as described in Securely query data of the Firebase Documentation.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /posts/{postid} {

      // Deny any query not limited to 10 or fewer documents
      allow list: if request.auth != null
                  && request.query.limit <= 10;

      // Anyone can retrieve an individual post
      allow get: if request.auth != null;

      // Only an admin can write to posts
      allow write: if request.auth.token.isAdmin === true;
    }
  }
}

Depending on how frequently the data is updated, you may also consider storing data bundles on Firebase Storage or you could even serve the data from Firebase Hosting where they can be served by a CDN instead of your application.