I have doubts about the security rules at Firestore.
My scenario is this: An Android application where users will only read data. They will not save, they will not modify anything. They are not going to register. It's just data reading.
I, for my part, need to write in that collection. I plan to do it via cURL using API KEY.
The rule that I am using is the following:
match /mycol/{document=**} {
allow read: if request.auth.uid != null; allow write: if true;
}
I want to prevent my collection from being accessed, for example by URL from anywhere:
https://firestore.googleapis.com/v1/projects/myproject/databases/(default)/documents/mydoc/mycol/
Avoiding for example that bots launch indiscriminate requests that would inflate my bill ...
I'm implementing the good rules for this case (only read from Android app without authentification and write via cURL using API KEY)?