Initial commit

.agents/skills/firebase-auth-basics/references/security_rules.md

@@ -0,0 +1,38 @@
+# Authentication in Security Rules
+
+Firebase Security Rules work with Firebase Authentication to provide rule-based access control. For better advice on writing safe security rules,
+enable the `firebase-firestore-basics`  or `firebase-storage-basics` skills.
+ 
+The `request.auth` variable contains authentication information for the user requesting data.
+
+## Basic Checks
+
+### Check if user is signed in
+```
+allow read, write: if request.auth != null;
+```
+
+### Check if user owns the data
+Access data only if the document ID matches the user's UID.
+```
+allow read, write: if request.auth != null && request.auth.uid == userId;
+```
+(Where `userId` is a path variable, e.g., `match /users/{userId}`)
+
+### Check if user owns the document (field-based)
+Access data only if the document has a `owner_uid` field matching the user's UID.
+```
+allow read, write: if request.auth != null && request.auth.uid == resource.data.owner_uid;
+```
+
+## Token Properties
+`request.auth.token` contains standard JWT claims and custom claims.
+
+- `request.auth.token.email`: The user's email address.
+- `request.auth.token.email_verified`: If the email is verified.
+- `request.auth.token.name`: The user's display name.
+
+### Example: Email Verification Check
+```
+allow create: if request.auth.token.email_verified == true;
+```