Update Firestore security rules

[tomatocat]

Is your feature request related to a problem? Please describe.
For beginning development, we had read-write access for everything in Firestore granted to all users. Maybe we do not want that in production.

Describe the solution you'd like

• Stored credential can only be accessed by backend
• users can only update their own user profiles
• users cannot grab other peoples' emails
• users should not be able to update games out of turn