firestore permission with gps distance

Question

Is that possible to write the rule to prevent the reading document if the user gps location is larger than 10 meters?
the collection is "shop" and document (document id is autogenerated id)contain fields GPS location

Answer 1

Firestore's server-side security rules can only read information about the user that is encoded into that user's ID token. So that means that you can only implement this if you encode the user's GPS location data into their ID token, and do that in a secure way.

The steps I can think of:

1. On the device determine the user's location.
2. Send that location to a Cloud Function (or otherwise trusted environment, such as a server you control).
3. Verify that the user is indeed at this location somehow.
4. Set the location into the user's profile as a custom claim, as shown here.
5. Respond back to the client that their profile has been updated.
6. Back on the device, use this response to refresh the ID token, so that it has the location information.
7. Send the request to the database, which will now include this location information.
8. Ensure that the document(s) requested is within the required range in security rules, by comparing the information in the request/query with the data in the document(s).

As you can see this process is pretty involved, and I'm not even sure how to secure step 3. So you'll have to wonder if securing the use-case is worth the effort, or whether it might be better to just limit how much data and out of what type of range people can request data at any one time.