Stack Overflow
Stack Overflow

Questions tagged [firebase-security]

The Firebase Security API uses a flexible authentication system and an expression-based rules language to provide a very flexible security model.

Security Rules determine who has read and write access to the data in your Firebase Database, Cloud Storage for Firebase, and Cloud Firestore. These rules live on the Firebase servers and are enforced automatically at all times. Every read and write request will only be completed if your rules allow it.

For the Firebase Database and Cloud Firestore, the rules also validate how your data is structured, and what indexes exist. For Cloud Storage, the rules can also be used for data validation, including validating file name and path as well as file metadata properties such as content type and size. For Cloud

To learn more about Firebase's Security API, see:

Related tags

5411 questions
11
votes
2 answers

Workaround for Firebase's "Rules Are Not Filters" constraint

I’d like a security rule that lets anyone get a list of users and read their names, but only allows logged in users to view their own email. Here’s an example data structure: "User" : { "abc123" : { "name" : "Bob", …
Zac
  • 313
  • 4
  • 11
11
votes
2 answers

Limit number of records that can be written to a path (reference other paths in security rules)

Let's say my Firebase collection looks like: { "max":5 "things":{} } How would I use the value of max in my security rules to limit the number of things? { "rules": { "things": { ".validate": "newData.val().length <= max" } …
Dan Kanze
  • 18,485
  • 28
  • 81
  • 134
11
votes
1 answer

Firebase authentication not revoked when user deleted?

I've encountered a strange behavior of the Firebase simple login with email/password: If I login with an existing user account I'm able to write to a Firebase ref (i.e. $root/list/$item). If not, I have no write access as expected (Firebase rules…
frenchfaso
  • 481
  • 5
  • 17
11
votes
1 answer

How can I use Firebase to securely share presence data within a specific group?

In my application I have a number of different user groups, such as chat rooms and specific projects. How can I allow the users in those groups to share their presence data, and see the presence of every other user in the group, but keep that data…
Rob DiMarco
  • 13,226
  • 1
  • 43
  • 55
10
votes
2 answers

How to debug firestore.rules variables and functions?

I am having difficulty trying to diagnose a particular rule in my firestore.rules file. See that question here for context. Is there a way to debug the firestore.rules file and/or functions? I'm using unit testing and the emulators to test my…
Matt Penner
  • 1,082
  • 12
  • 22
10
votes
5 answers

Firestore ConnectionState is in Waiting state forever in flutter app

I am trying to fetch records from the Firestore database and show it in the Flutter app. @override Widget build(BuildContext context) { return Scaffold( appBar: AppBar( title: Text('Hello'), actions: [ …
Pratik
  • 695
  • 2
  • 11
  • 29
10
votes
0 answers

disclosing firebase apiKey

Documentation of firebase https://firebase.google.com/docs/web/setup tell us we can safely expose firebase apiKey: Note: The Firebase config object contains unique, but non-secret identifiers for your Firebase project. The tutorial explains how…
Emanuele Paolini
  • 9,912
  • 3
  • 38
  • 64
10
votes
1 answer

Collection Group permissions for Firestore

I have these rules: match /suuntoAppAccessTokens/{userName} { allow create: if request.auth.uid != null && request.auth.token.firebase.sign_in_provider != 'anonymous'; match /tokens/{userID} { allow read, write, create, update,…
Jimmy Kane
  • 16,223
  • 11
  • 86
  • 117
10
votes
2 answers

How to setup test data when testing Firestore Rules with Emulator?

I am working on tests for Cloud Firestore Rules, using mocha and Firestore Emulator, and the question is how to initialize some test data before running tests? To test my rules, I first need to initialize some test data. The problem is that I cannot…
greg0r
  • 101
  • 1
  • 8
10
votes
2 answers

Split up Firebase Firestore Security Rules into separate Files?

Is there a way to split Firestore Security Rules (firestore.rules) into separate / multiple files? I would like to do a structure like so: index.rules // imports all the rules users.rules posts.rules comments.rules helperFunctions.rules // ... and…
Pascal
  • 1,661
  • 17
  • 29
10
votes
1 answer

why does firebase simulator throw a invalid agument error when i test for update or create?

This is my error: Error running simulation — Error: simulator.rules line [10], column [13]. Function not found error: Name: [get].; Error: Invalid argument provided to call. Function: [get], Argument: ["||invalid_argument||"] When i run this i have…
David Tomlinson
  • 101
  • 4
10
votes
1 answer

Firebase Rules Wildcard and Child comparison

I'm trying to mix Firebase's Rule wildcards with children comparisons. I'm reading a child elsewhere who's value is '4'. When I do a literal comparison, the simulator gives me the green light (like this): { "rules": { "die": { "rolls":…
Alex
  • 603
  • 7
  • 13
10
votes
2 answers

How to validate array values with firestore's security rules?

I've a form which creates the following JSON structure. { "reviewed":false, "title":"Just a title", "user":"UYV9TRKXfNW1NeCyFyfjZfagJ8B", "items":[ { "age":"33", "experience":"Newcomer", …
Fabian
  • 354
  • 2
  • 14
10
votes
1 answer

(Firebase) Firestore security rules - allow if email verified without custom tokens?

Is there a way to check if the request user email is verified in the Firestore security rules? something like: function isEmailVerified() { return request.auth.emailVerified == true; }
MTK90
  • 123
  • 1
  • 9
10
votes
2 answers

Allow read of firestore document, if it does not exist

In Firestore I wan't to allow a read, if the targeted document does not exists. I have tried the following: service cloud.firestore { match /databases/{database}/documents { match /reports/{report} { allow read: if…
DauleDK
  • 3,313
  • 11
  • 55
  • 98
1 2 3
99 100