Solved

Cloud Firestore Security Rules: Conditional Access Based On Subscription Status

  • 20 November 2023
  • 5 replies
  • 70 views
B
Badge +6

Hello,

Unfortunately documentation page https://www.revenuecat.com/docs/firebase-integration provides only client-side authorization check
 

getAuth().currentUser.getIdTokenResult()
  .then((idTokenResult) => {
     // Confirm the user has a premium entitlement.
     if (!!idTokenResult.claims.activeEntitlements.includes("premium")) {
       // Show premium UI.
       showPremiumUI();
     } else {
       // Show regular user UI.
       showFreeUI();
     }
  })
  .catch((error) => {
    console.log(error);
  });

 

It won’t prevent me to write code accessing Firestore with expired subscription. 

Can you please provide some examples / design patterns / best practices for server side? For example, Cloud Firestore Rules which check subscription status, or maybe cloud functions? Hard to guess ;)

icon

Best answer by Bamba 29 March 2024, 18:19

View original

5 replies

B
Badge +6

Maybe as simple as this?
 

service cloud.firestore {
    match /databases/{database}/documents {
       match /articles/{articleId} {
          allow read: if true;
          allow write: ....;

          match /protected/{protecedId} {
            allow read: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.subscription == true;
          }
       }
    }
}


And cloud function listening for updates from Apple/Google stores?

Any better examples? I was expecting that RevenueCat Firebase Integration provides “out-of-the-box” server-side API which we can use to customize Cloud Firestore Security Rules

Ryan Glanz
Rank
Userlevel 3
Badge +8

Hi!

We’re unable to give specific cloud function examples, but many developers will simply call our GET /subscribers api endpoint from firebase if they want to check subscription status away from the client.

B
Badge +6

Thanks @Ryan Glanz 

I believe I found answer to my question after analyzing source codes of RevenueCat extension for Firebase at https://github.com/RevenueCat/firestore-revenuecat-purchases

The code will listen to App/Google/Amazon store events and apply custom claims to “user” entity in Firebase, so that I only need to configure Cloud Firestore Security Rules with these *undocumented* claims; I can only guess that if my subscription is called “premium” in RevenueCat then Firebase Rule will be something like

{
  "rules": {
    "adminContent": {
      ".read": "auth.token.premium === true",
      ".write": "auth.token.premium === true",
    }
  }
}

And after that client-side handles it (as in example in 1st post here)

Would be nice to have more examples for newbies like me ;)
Thanks,

B
Badge +6

Hi!

We’re unable to give specific cloud function examples, but many developers will simply call our GET /subscribers api endpoint from firebase if they want to check subscription status away from the client.


Hello RevenueCat team,

Could you please provide few Firebase Cloud Firestore security rules examples, using “claims” (assuming Firestore uses RevenueCat extension).

Thanks,

B
Badge +6

Hello,
 

It really seems RevenueCat hired some people to write docs and support this forum who have no idea on SDKs internals; they can only refer to documentation, and in this specific case there is no any, it is not documented.

 

Here is what works with Firebase Cloud Firestore + RevenueCat Extension, just a template/example:

 match /aaa/{bbb}{
  	  allow read: if true;
      match /ccc/{ddd=**} {
        allow read: if request.auth.token.revenueCatEntitlements[0] == 'premium';
      }
}

 

This is just basic example; in RevenueCat, I have single product with “premium” identifier; in App Store, corresponding product is monthly subscription.

You need debugger & hacker skills to find that.

Reply


Terms & ConditionsCookie settings