St. Nebula
39 lines
1.3 KiB
Markdown
39 lines
1.3 KiB
Markdown
# Authentication in Security Rules
|
|
|
|
Firebase Security Rules work with Firebase Authentication to provide rule-based access control. For better advice on writing safe security rules,
|
|
enable the `firebase-firestore-basics` or `firebase-storage-basics` skills.
|
|
|
|
The `request.auth` variable contains authentication information for the user requesting data.
|
|
|
|
## Basic Checks
|
|
|
|
### Check if user is signed in
|
|
```
|
|
allow read, write: if request.auth != null;
|
|
```
|
|
|
|
### Check if user owns the data
|
|
Access data only if the document ID matches the user's UID.
|
|
```
|
|
allow read, write: if request.auth != null && request.auth.uid == userId;
|
|
```
|
|
(Where `userId` is a path variable, e.g., `match /users/{userId}`)
|
|
|
|
### Check if user owns the document (field-based)
|
|
Access data only if the document has a `owner_uid` field matching the user's UID.
|
|
```
|
|
allow read, write: if request.auth != null && request.auth.uid == resource.data.owner_uid;
|
|
```
|
|
|
|
## Token Properties
|
|
`request.auth.token` contains standard JWT claims and custom claims.
|
|
|
|
- `request.auth.token.email`: The user's email address.
|
|
- `request.auth.token.email_verified`: If the email is verified.
|
|
- `request.auth.token.name`: The user's display name.
|
|
|
|
### Example: Email Verification Check
|
|
```
|
|
allow create: if request.auth.token.email_verified == true;
|
|
```
|