Onsol-GO/.agents/skills/firebase-auth-basics/references/security_rules.md

Authentication in Security Rules

Firebase Security Rules work with Firebase Authentication to provide rule-based access control. For better advice on writing safe security rules, enable the firebase-firestore-basics or firebase-storage-basics skills.

The request.auth variable contains authentication information for the user requesting data.

Basic Checks

Check if user is signed in

allow read, write: if request.auth != null;

Check if user owns the data

Access data only if the document ID matches the user's UID.

allow read, write: if request.auth != null && request.auth.uid == userId;

(Where userId is a path variable, e.g., match /users/{userId})

Check if user owns the document (field-based)

Access data only if the document has a owner_uid field matching the user's UID.

allow read, write: if request.auth != null && request.auth.uid == resource.data.owner_uid;

Token Properties

request.auth.token contains standard JWT claims and custom claims.

• request.auth.token.email: The user's email address.
• request.auth.token.email_verified: If the email is verified.
• request.auth.token.name: The user's display name.

Example: Email Verification Check

allow create: if request.auth.token.email_verified == true;