Firebase Security Rules provide access control and data validation in a format that supports
multiple levels of complexity. To build user-based and role-based access systems
that keep your users' data safe, use
Firebase Authentication
with
Firebase Security Rules.
Identify users
Authentication identifies users requesting access to your data and provides that
information as a variable you can leverage in your rules. The
auth
variable
contains the following information:
uid
:
A unique user ID, assigned to the requesting user.
token
:
A map of values collected by Authentication.
The
auth.token
variable contains the following values:
Field
|
Description
|
email
|
The email address associated with the account, if present.
|
email_verified
|
true
if the user has verified they have access to the
email
address. Some providers automatically verify email addresses they own.
|
phone_number
|
The phone number associated with the account, if present.
|
name
|
The user's display name, if set.
|
sub
|
The user's Firebase UID. This is unique within a project.
|
firebase.identities
|
Dictionary of all the identities that are associated with this user's account. The keys of the dictionary can be any of the following:
email
,
phone
,
google.com
,
facebook.com
,
github.com
,
twitter.com
. The values of the dictionary are arrays of unique identifiers for each identity provider associated with the account. For example,
auth.token.firebase.identities["google.com"][0]
contains the first Google user ID associated with the account.
|
firebase.sign_in_provider
|
The sign-in provider used to obtain this token. Can be one of the following strings:
custom
,
password
,
phone
,
anonymous
,
google.com
,
facebook.com
,
github.com
,
twitter.com
.
|
firebase.tenant
|
The tenantId associated with the account, if present. e.g.
tenant2-m6tyz
|
If you want to add customized authentication attributes, the
auth.token
variable also contains any
custom claims
you specify.
When the user requesting access isn't signed in, the
auth
variable is
null
.
You can leverage this in your rules if, for example, you want to limit read
access to authenticated users ?
auth != null
. However, we generally recommend
limiting write access further.
For more information about the
auth
variable, see the reference
documentation for
Cloud Firestore
,
Realtime Database
, and
Cloud Storage
.
In practice, using authenticated information in your rules makes your rules
more powerful and flexible. You can control access to data based on user
identity.
In your rules, define how the information in the
auth
variable ? the
requestor's user information ? matches the user information associated with the
requested data.
For example, your app may want to make sure users can only read and write their
own data. In this scenario, you would want a match between the
auth.uid
variable and the user ID on the requested data:
Cloud Firestore
service cloud.firestore {
match /databases/{database}/documents {
// Make sure the uid of the requesting user matches name of the user
// document. The wildcard expression {userId} makes the userId variable
// available in rules.
match /users/{userId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
}
Realtime Database
{
"rules": {
"users": {
"$userId": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($userId)
".write": "$userId === auth.uid"
}
}
}
}
Cloud Storage
service firebase.storage {
// Only a user can upload their file, but anyone can view it
match /users/{userId}/{fileName} {
allow read;
allow write: if request.auth != null && request.auth.uid == userId;
}
}
You can further leverage the
auth
variable to define custom fields assigned
to your app's users.
For example, assume you want to create an "admin" role that enables write access
on certain paths. You would assign that attribute to users, and
then leverage it in the rules granting access on the paths.
In Cloud Firestore, you can add a custom field to users' documents and retrieve
that field's value with an embedded read in your rules. So, your admin-based
rule would look like the following example:
Cloud Firestore
service cloud.firestore {
match /databases/{database}/documents/some_collection: {
// Remember that, in Cloud Firestore, reads embedded in your rules are billed operations
write: if request.auth != null && get(/databases/(database)/documents/users/$(request.auth.uid)).data.admin == true;
read: if request.auth != null;
}
}
You can access custom claims in Rules after
creating custom claims
in Authentication. You can then
reference those custom claims using the
auth.token
variable.
Cloud Firestore
service cloud.firestore {
match /databases/{database}/documents {
// For attribute-based access control, check for an admin claim
allow write: if request.auth.token.admin == true;
allow read: true;
// Alterntatively, for role-based access, assign specific roles to users
match /some_collection/{document} {
allow read: if request.auth.token.reader == "true";
allow write: if request.auth.token.writer == "true";
}
}
}
Realtime Database
{
"rules": {
"some_path/$sub_path": {
// Create a custom claim for the admin role
".write": "auth.uid !== null && auth.token.writer === true"
".read": "auth.uid !== null"
}
}
}
Cloud Storage
service firebase.storage {
// Create a custom claim for the admin role
match /files/{fileName} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.admin == true;
}
}
To see more examples of basic Rules leveraging Authentication, see
Basic Security Rules
.