If my app calls a cloud function and I validate the request against Firestore user info, is this just as secure as a Firestore security rule?

Question

I am setting up my app so that any client device can only impact collections/sub-collections that they own. However, to interact with other users, a user will need to make the app create a row in another user's collection. What is the safest way to do this?

My idea for this would be to have the app call a cloud function to create the record in the other user's collection. The cloud function would read the request and make sure of the following:

1. The incoming request has an existing UID

2. The incoming request's user's email is verified

3. The incoming request's UID has a record in the Firestore 'users' collection

If I do this, is this just as secure as using Firestore security rules?

Answer 1

The question you're asking is unfortunately not as easy to answer as you expect. Firestore security rules don't ensure general "security" of your app any more than backend code. Rules let you specify rules for reads and writes according to the conditions you provide, if you want to use them. If rules are not sufficient for the requirements at hand, then maybe backend code will work better. In either case, you can allow or deny access based on conditions you provide.

In terms of functionality, both options allow you to allow or restrict access in different ways. Neither one is more or less "secure" than the other. The main issue you should consider is which one lets you most easily specify those rules. Security rules are fundamentally more limited in what you can check, while backend code is fundamentally more flexible. The option you choose is dependent on what you're trying to allow or reject.

The constraints you specified in the question could be enforced by either security rules or backend code, so I don't see that one is necessarily more or less secure than the other.