Firebase Rules: How to block anonymous access?

Question

Reading the Firebase Rules Documentation I couldn't find anything on how to block anonymous access to a specific collection or document.

In other words, I want to block users who are not logged in, and I also want to block users who are logged in as anonymous. I want to allow only users who are logged in as themselves (through email, Facebook, Google, SMS, etc).

How can I do that?

This is the code I came up with, which doesn't work:

    service cloud.firestore {
      match /databases/{database}/documents {
        }
        match /collectionExample/{documentExample} {
          allow create: if request.auth.uid != null && request.auth.token.isAnonymous != false;              
          allow read: if request.auth.uid == resource.data.userId;
        }
      }
    }

score 25 · Accepted Answer · answered Nov 22 '18 at 06:53

I haven't tried this, but I suspect you can use request.auth.token.firebase.sign_in_provider (see the docs for auth). It's supposed to contain the value anonymous for anonymous auth. So, to allow document creates for non-anonymous logged in users:

allow create: if request.auth.uid != null && request.auth.token.firebase.sign_in_provider != 'anonymous';

Or, you could change it to only allow certain providers as well, given the other possible values for token firebase.sign_in_provider in the docs.

I tested, using `request.auth.token.firebase.sign_in_provider != 'anonymous'`, that works, thanks — Eduardo Yamauchi, Nov 22 '18 at 18:14

Firebase Rules: How to block anonymous access?

1 Answers1

Linked