Firebase private chat schema and rules

2
votes

I am trying to setup private chat abilities in an app that I am working on and I'm having a bit of trouble wrapping my head around denormalizing the data/setting up the rules properly.

After doing some reading, I realize that rules are all or nothing so using rules to filter is not an option.

I've sketched out my basic idea on paper, and have pasted it below. Basically there would be two main routes, users and chats.

Users would just be a keyed list, which each key matching an authenticated user. Then inside each member of the list I would just have each chat that the said user is in listed as a key.

For the chats route I'd have a list of all of the chats.

Now for the rules.

Users would only be able to read their data in the list where the key matched their uid. For the write i'm less confident. I'm thinking I have to let anyone with authentication write, otherwise the user starting the chat could not notify others of the new chat by playing the chat id in their chat list in the users route.

For the chats rules both read and write would only be allowed if the user is authenticated and the chat key is located inside their data in the user route.

Does the seem like I'm going in the right direction?

users:{

  user1:{
    chat1: true,
    chat2: true
    ...
  },

  user2:{
    chat1: true,
    chat3: true
    ....
  }
}


chats:{
  chat1:{
    lastUpdate: timestamp,
    messages:{
      0:{
        from: user1
        to: user2,
        message: some message
      }
      ...
    }
  }
}

rules:{
  .read: false,
  .write: false,

  users:{
    $user_id:{
      .read: auth != null && $user_id == auth.uid,
      .write: auth != null //not sure here as other users need to write here if the start a new chat
    }
  },

  chats:{
    $chat_id: {
      .read: auth != null && root.child('users').child($chat_id).contains(auth.id),
      .write: auth != null && root.child('users').child($chat_id).contains(auth.id)
    }
  }
}
1
firebasefirebase-security

1 Answers

0
votes

I've been playing with this more, so here is one option (by no means am I suggesting this is the best way to do it)

Rules:

   {
      "rules":{
        ".read": false,
        ".write": false,

        "users":{
          "$user_id":{
            ".read": "auth != null && $user_id == auth.uid",
            ".write": "auth != null" //not sure here as other users need to write here if the start a new chat
          }
        },

        "chats":{
          "$chat_id": {
            ".read": "auth != null && root.child('users').child(auth.uid).child('chats').hasChild($chat_id)",
            ".write": "auth != null && (root.child('users').child(auth.uid).child('chats').hasChild($chat_id) || !data.exists())"
          }
        }
      }
    }

then for users I have a structure like this:

    users:{
      someUserId:{
        chats:{ //embedded a second level so I can save firebaseObj.someUserId to get the keys more easily
          someChatId: true //and repeat for each chat 

        }
      }
    }

Chats are like this:

chats:{
  someChatId:{
    //chat data
  }
  //more chat objects
}

I wouldn't be surprised if there is a much better way to do this, but at least this may be a start for those who are stuck. I'll try to remember to update this if/when I get a better solution.