1
00:00:00,330 --> 00:00:02,520
‫Instructor: Hi. Within this lecture,

2
00:00:02,520 --> 00:00:05,400
‫we are going to begin working

3
00:00:05,400 --> 00:00:08,250
‫on our Firestore security rules so

4
00:00:08,250 --> 00:00:10,830
‫that we can make our app secure

5
00:00:10,830 --> 00:00:13,980
‫so that hackers won't be able to read

6
00:00:13,980 --> 00:00:18,980
‫or write data in a way that they want using rest calls.

7
00:00:19,200 --> 00:00:22,770
‫So that's exactly what we are trying to do over here.

8
00:00:22,770 --> 00:00:26,819
‫And remember, this actually defines the rules

9
00:00:26,819 --> 00:00:31,320
‫of our fire based database usage.

10
00:00:31,320 --> 00:00:34,410
‫So I'm going to delete every comment from here.

11
00:00:34,410 --> 00:00:36,780
‫Okay. These are all comments lines

12
00:00:36,780 --> 00:00:39,210
‫so you can just delete them.

13
00:00:39,210 --> 00:00:42,150
‫As you can see, it starts with match

14
00:00:42,150 --> 00:00:46,980
‫and it follows with allowing reading or writing.

15
00:00:46,980 --> 00:00:50,100
‫Okay? And over here what we see is

16
00:00:50,100 --> 00:00:54,054
‫the allowing reading in writing with a condition

17
00:00:54,054 --> 00:00:58,530
‫so the condition can be deleted like this.

18
00:00:58,530 --> 00:01:01,503
‫So over here we allow reading and writing

19
00:01:01,503 --> 00:01:05,156
‫and if I do that, it will only allow reading, for example

20
00:01:05,156 --> 00:01:10,156
‫and I can just say something like, "Allow write" like this.

21
00:01:10,440 --> 00:01:13,200
‫So this will allow reading and writing

22
00:01:13,200 --> 00:01:16,290
‫in any condition to anyone.

23
00:01:16,290 --> 00:01:18,540
‫So this is good, right?

24
00:01:18,540 --> 00:01:23,540
‫But it's not even close to our purpose of securing this app.

25
00:01:24,570 --> 00:01:29,310
‫So most of the time, developers actually tend to use it

26
00:01:29,310 --> 00:01:34,140
‫in a way like this so that they won't come across

27
00:01:34,140 --> 00:01:37,470
‫with any problems when they test or develop the app.

28
00:01:37,470 --> 00:01:41,460
‫But then later on they forget to change this

29
00:01:41,460 --> 00:01:45,450
‫or they're lazy enough to just leave it like this

30
00:01:45,450 --> 00:01:47,340
‫and it's not even secure.

31
00:01:47,340 --> 00:01:52,140
‫What we can do, we can actually propose a new thing

32
00:01:52,140 --> 00:01:55,590
‫like allowing writing for a condition,

33
00:01:55,590 --> 00:01:59,329
‫for example, or allowing reading for a condition.

34
00:01:59,329 --> 00:02:03,697
‫Okay? And maybe we can say something like that,

35
00:02:03,697 --> 00:02:08,697
‫"Allow write"? If and only if the user is authenticated.

36
00:02:10,315 --> 00:02:15,315
‫So by authenticated, I mean they're either signed up

37
00:02:15,330 --> 00:02:18,330
‫or signed in, so they're logged in.

38
00:02:18,330 --> 00:02:20,490
‫Okay? So in order to do that,

39
00:02:20,490 --> 00:02:23,850
‫I'm just going to write a column over here.

40
00:02:23,850 --> 00:02:27,903
‫I'm going to say if request.auth,

41
00:02:28,860 --> 00:02:33,000
‫So this means that if the request is coming

42
00:02:33,000 --> 00:02:36,807
‫from some sources, okay some source,

43
00:02:36,807 --> 00:02:41,234
‫and if the authentication of that request

44
00:02:41,234 --> 00:02:43,867
‫is not null, for example.

45
00:02:45,452 --> 00:02:48,614
‫So I'm allowing the writing, okay?

46
00:02:48,614 --> 00:02:50,947
‫If request.auth is not null.

47
00:02:53,100 --> 00:02:58,100
‫So like this is not null. So what this is going to do

48
00:02:59,430 --> 00:03:04,430
‫Is to allow reading for any kind of circumstance, okay?

49
00:03:05,310 --> 00:03:09,090
‫So if you're trying to build an app

50
00:03:09,090 --> 00:03:13,350
‫and you don't care if everybody sees everybody's data

51
00:03:13,350 --> 00:03:15,840
‫then this is very ideal for you.

52
00:03:15,840 --> 00:03:19,500
‫For example, in our app, everyone can see the tweets

53
00:03:19,500 --> 00:03:23,670
‫of each other, but if they want to write it

54
00:03:23,670 --> 00:03:25,920
‫if they want to edit it for example

55
00:03:25,920 --> 00:03:28,440
‫or change a tweet or delete a tweet,

56
00:03:28,440 --> 00:03:30,570
‫they should be logged in.

57
00:03:30,570 --> 00:03:34,770
‫So over here you can see it's saved already

58
00:03:34,770 --> 00:03:38,940
‫and we can actually try this right now.

59
00:03:38,940 --> 00:03:42,510
‫So sometimes it can take like a minute

60
00:03:42,510 --> 00:03:46,410
‫or two to make this in session.

61
00:03:46,410 --> 00:03:49,320
‫Okay? So make this available.

62
00:03:49,320 --> 00:03:51,690
‫So if you try this and it fails,

63
00:03:51,690 --> 00:03:53,730
‫make sure you wait for like five minutes

64
00:03:53,730 --> 00:03:55,200
‫and try one more time.

65
00:03:55,200 --> 00:03:59,610
‫But right now I'm just going to try and delete a tweet

66
00:03:59,610 --> 00:04:04,610
‫from here like this. So I'm going to paste it, okay?

67
00:04:05,040 --> 00:04:07,131
‫Come over here and say paste.

68
00:04:07,131 --> 00:04:12,131
‫And I'm going to see if we can actually delete it or not.

69
00:04:12,840 --> 00:04:15,120
‫So we shouldn't be able to delete it

70
00:04:15,120 --> 00:04:17,880
‫because we've changed the secret rules.

71
00:04:17,880 --> 00:04:20,580
‫Here we go. You see the document over here?

72
00:04:20,580 --> 00:04:23,850
‫Now if I run this, okay, I'm a hacker.

73
00:04:23,850 --> 00:04:27,540
‫I'm not related with development side of this thing.

74
00:04:27,540 --> 00:04:30,330
‫I'm just trying to hack into this.

75
00:04:30,330 --> 00:04:34,590
‫And as you can see, I get the status of permission denied.

76
00:04:34,590 --> 00:04:37,444
‫So if I'm not logged in right now

77
00:04:37,444 --> 00:04:41,010
‫then I won't be able to delete this.

78
00:04:41,010 --> 00:04:44,910
‫So this is a good idea to check the authentication

79
00:04:44,910 --> 00:04:48,420
‫because if you make it so then no one

80
00:04:48,420 --> 00:04:51,810
‫can actually reach it through durest calls

81
00:04:51,810 --> 00:04:55,860
‫and they will be only be able to actually

82
00:04:55,860 --> 00:04:59,550
‫do this with an app when they are logged in.

83
00:04:59,550 --> 00:05:02,342
‫So we cant do this for read as well.

84
00:05:02,342 --> 00:05:05,070
‫But maybe we don't wanna do this for read

85
00:05:05,070 --> 00:05:07,440
‫maybe we just want to do this for write.

86
00:05:07,440 --> 00:05:11,351
‫So you can try and find your optimal way

87
00:05:11,351 --> 00:05:15,665
‫of using this and you can try to secure your app

88
00:05:15,665 --> 00:05:20,665
‫following these instructions on the Firestore documentation

89
00:05:21,579 --> 00:05:26,579
‫in order to create a perfectly safe fire based app for you.

90
00:05:26,850 --> 00:05:29,130
‫And of course, we are not going to stop you

91
00:05:29,130 --> 00:05:31,080
‫we're just going to deep dive a little bit

92
00:05:31,080 --> 00:05:34,380
‫and learn about these rules a little bit

93
00:05:34,380 --> 00:05:38,400
‫more in depth so that you can create your own rules

94
00:05:38,400 --> 00:05:39,900
‫in a proper way.

95
00:05:39,900 --> 00:05:42,513
‫We're gonna do that within the next lecture.