Konsola git

Firebase Database Security Rules API

Rule: Types

.read

Grants a client read access to a Firebase Realtime Database location.

A .read rule is a type of Security Rule which grants a client read access to a Firebase Realtime Database location. For example:

 ".read": "auth != null && auth.provider == 'twitter'"

The value of a .read rule is a string, which is evaluated as a subset of JavaScript's expression syntax with a few behavioral changes to increase clarity and correctness. A .read rule which grants permission to read a location will also allow reading of any descendants of that location, even if the descendants have their own .read rules which fail.

A .read rule has access to all of Firebase Realtime Database's Rule Variables except newData.

.write

Grants a client write access to a Firebase Realtime Database location.

A .write rule is a type of Security Rule which grants a client write access to a Firebase Realtime Database location. For example:

".write": "auth != null && auth.token.isAdmin == true"

The value of a .write rule is a string, which is evaluated as a subset of JavaScript's expression syntax with a few behavioral changes to increase clarity and correctness. A .write rule which grants permission to write to a location will also allow writing to any descendants of that location, even if the descendants have their own .write rules which fail.

A .write rule has access to all of Firebase Realtime Database's Rule Variables.

.validate

Used once a .write rule has granted access, to ensure that the data being written conforms to a specific schema.

A .validate rule is used once a .write rule has granted access, to ensure that the data being written conforms to a specific standard. In addition to a .write granting access, all relevant .validate rules must succeed before a write is allowed. For example:

".validate": "newData.hasChildren(['name', 'age'])"

The value of a .validate rule is a string, which is evaluated as a subset of JavaScript's expression syntax with a few behavioral changes to increase clarity and correctness.

A .validate rule has access to all of Firebase Realtime Database's Rule Variables.

.indexOn

Improves query performance by telling the Firebase Realtime Database which keys you want your data indexed.

The .indexOn rule tells the Firebase Realtime Database servers to index specific keys in your data to improve the performance of your queries. For example, given a database with a collection of dinosaur data, we can tell Firebase Realtime Database to optimize for queries, before they are returned from the servers, by adding this rule:

{
  "rules": {
    "dinosaurs": {
      ".indexOn": ["height", "length"]
    }
  }
}

You can find out more information about the .indexOn rule by referring to the section of the security guide on indexing your data.

Rule: Variables

auth

A variable containing the token payload if a client is authenticated, or null if the client isn't authenticated.

Firebase Realtime Database allows you to easily authenticate to several built-in providers and will generate auth tokens for them. After a user is authenticated with one of the built-in providers, the auth variable will contain the following:

Field Description
provider The authentication method used (e.g "password", "anonymous", "facebook", "github", "google", or "twitter").
uid A unique user id, guaranteed to be unique across all providers.
token The contents of the Firebase Auth ID token. See auth.token.

As an example, we could have a rule like the following to allow users to create comments as long as they store their user ID with the comment:

{
  "rules": {
    ".read": true,
    "$comment": {
      ".write": "!data.exists() && newData.child('user_id').val() == auth.uid"
    }
  }
}

We could also make a rule like the following to allow users to create comments as long as they are signed in using Facebook:

{
  "rules": {
    ".read": true,
    "$comment": {
      ".write": "!data.exists() && auth.provider == 'facebook'"
    }
  }
}

auth.token

A variable containing the contents of the Firebase Auth ID token.

The token contains some or all of the following keys:

Field Description
email The email address associated with the account, if present.
email_verified true if the user has verified they have access to the email address. Some providers automatically verify email addresses they own.
phone_number The phone number associated with the account, if present.
name The user's display name, if set.
sub The user's Firebase UID. This is unique within a project.
firebase.identities Dictionary of all the identities that are associated with this user's account. The keys of the dictionary can be any of the following: email, phone, google.com, facebook.com, github.com, twitter.com. The values of the dictionary are arrays of unique identifiers for each identity provider associated with the account. For example, auth.token.firebase.identities["google.com"][0] contains the first Google user ID associated with the account.
firebase.sign_in_provider The sign-in provider used to obtain this token. Can be one of the following strings: custom, password, phone, anonymous, google.com, facebook.com, github.com, twitter.com.

If using custom authentication, request.auth.token also contains any custom claims specified by the developer.

All of these values can be used within rules. For example, to restrict access to Google accounts associated with a gmail.com address, we could add the rule:

{
  "rules": {
    ".read": "auth != null",
    "gmailUsers": {
      "$uid": {
        ".write": "auth.token.email_verified == true && auth.token.email.matches(/.*@gmail.com$/)"
      }
    }
  }
}

For completeness, the following fields are also included, in auth.token, but they are unlikely to be useful for rules.

Field Description
iss The issuer of the token.
aud The audience for the token.
auth_time The last time the user authenticated with a credential using the device receiving the token.
iat The time at which the token was issued.
exp The time at which the token expires.

$location

A variable that can be used to reference the key of a $location that was used earlier in a rule structure.

When you have a $location in your rules structure, you can use a matching $ variable within your rule expression to get the name of the actual child being read or written. So suppose we want to give every user read and write access to their own /users/<user> location. We could use:

{
  "rules": {
    "users": {
      "$user": {
        ".read": "auth.uid === $user",
        ".write": "auth.uid === $user"
      }
    }
  }
}

When a client tries to access /users/barney, the $user default location will match with $user being equal to "barney". So the .read rule will check if auth.uid === 'barney'. As a result, reading /users/barney will succeed only if the client is authenticated with a uid of "barney".

now

Contains the number of milliseconds since the Unix epoch according to the Firebase Realtime Database servers.

The now variable contains the number of milliseconds since the UNIX epoch according to the Firebase Realtime Database servers. For instance, you could use this to validate that a user's created time is never set to a time in the future:

{
  "rules": {
    "users": {
      "$user": {
        "created": {
          ".validate": "newData.val() < now"
        }
      }
    }
  }
}

root

A RuleDataSnapshot corresponding to the current data at the root of your Firebase Realtime Database.

The root variable gives you a RuleDataSnapshot corresponding to the current data at the root of your Firebase Realtime Database. You can use this to read any data in your database in your rule expressions. For instance, if we wanted to allow users to read /comments only if their /users/<id>/active was set to true, we could use:

{
  "rules": {
    "comments": {
      ".read": "root.child('users').child(auth.uid).child('active').val() == true"
    }
  }
}

Then, if /users/barney/active contained the value true, a user authenticated with a uid of "barney" could write to the /comments node.

data

A RuleDataSnapshot corresponding to the current data in Firebase Realtime Database at the location of the currently executing rule.

The data variable gives you a RuleDataSnapshot corresponding to the current data in the database location of the currently executing rule (as opposed to root, which gives you the data for the root of your database).

So for example, if you wanted to let any client access /users/<user> if /users/<user>/public was set to true, you could use:

{
  "rules": {
    "users": {
      "$user": {
        ".read": "data.child('public').val() == true"
      }
    }
  }
}

The data variable is available in .read, .write, and .validate rules.

newData

A RuleDataSnapshot