feat: Firebase project config — Firestore, Storage rules, Functions setup (batch v0.2.3)
- .firebaserc: default project set to couples-connect-dev - firebase.json: Firestore rules/indexes, Storage rules, Functions source config - storage.rules: profile photo write/read rules (5MB cap, image-only, owner-scoped) - firestore.indexes.json: empty (no custom indexes yet)
This commit is contained in:
parent
7552c451db
commit
c878a9be1f
|
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
"projects": {
|
||||
"default": "couples-connect-dev"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
"firestore": {
|
||||
"rules": "firestore.rules",
|
||||
"indexes": "firestore.indexes.json"
|
||||
},
|
||||
"storage": {
|
||||
"rules": "storage.rules"
|
||||
},
|
||||
"functions": [
|
||||
{
|
||||
"source": "functions",
|
||||
"codebase": "default",
|
||||
"ignore": [
|
||||
"node_modules",
|
||||
".git",
|
||||
"firebase-debug.log",
|
||||
"firebase-debug.*.log"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"indexes": [],
|
||||
"fieldOverrides": []
|
||||
}
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
rules_version = '2';
|
||||
service firebase.storage {
|
||||
match /b/{bucket}/o {
|
||||
|
||||
// Profile photos: only the owner may write; both the owner and their
|
||||
// partner can read via the tokenized download URL. Direct read is
|
||||
// scoped to the owner so raw storage paths aren't publicly accessible.
|
||||
//
|
||||
// Size cap: 5 MB. Content-type must be an image (enforced at upload,
|
||||
// not at read, so the header check only blocks mismatched writes).
|
||||
match /users/{uid}/profile.jpg {
|
||||
allow write: if request.auth != null
|
||||
&& request.auth.uid == uid
|
||||
&& request.resource.size < 5 * 1024 * 1024
|
||||
&& request.resource.contentType.matches('image/.*');
|
||||
|
||||
// Partners receive the tokenized download URL (generated server-side or
|
||||
// at upload time) which bypasses these rules. Direct rule-based read is
|
||||
// scoped to the owner only.
|
||||
allow read: if request.auth != null && request.auth.uid == uid;
|
||||
}
|
||||
|
||||
// Deny all other paths by default.
|
||||
match /{allPaths=**} {
|
||||
allow read, write: if false;
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue