Firestore Security - allow only known fields

14
votes

I can’t figure out how to properly set the ‘.validate’ rule in Firestore. Basically, I want to allow a User document to contain only the fields I know:

user {
 name: "John"
 phone: "2342222"
 address: "5th Avenue"
}

I dont want any other fields besides the 3 above (name, phone, address).

The fields WON’T be saved at the same time. name and phone will be saved first, and address will be saved only when user wants to edit his profile.

I've tried the rules below but don’t seem to work:

allow read: if request.auth.uid == uid;
allow write: if request.auth.uid == uid && 
 request.resource.data.keys() in ["name", "phone", "address"]

Thanks for help.

3
firebasefirebase-securitygoogle-cloud-firestore

3 Answers

16
votes

You can separate your rules to include different create and update (as well as delete) logic:

// allows for creation with name and phone fields
allow create: if request.resource.data.size() == 2
              && request.resource.data.hasAll(['name', 'phone'])
              && request.resource.data.name is string
              && request.resource.data.phone is string;
// allows a single update adding the address field
// OR (||) in additional constraints
allow update: if request.resource.data.size() == resource.data.size() + 1
              && !('address' in resource.data)
              && request.resource.data.address is string;
11
votes

You're looking for both the size() and hasOnly() methods.

allow write: if request.resource.data.size() == 3 
             && request.resource.data.keys().hasOnly(['name', 'phone', 'address'])

Using size() allows you to ensure an exact number of fields. Combining that with hasOnly() allows to you lock it to those specific fields.

You can read more in the Cloud Firestore Rules reference docs.

5
votes

To add on to Mike McDonald's answer, to check for particular keys, the form is now:

request.resource.data.keys().hasAll

instead of

request.resource.data.hasAll

Full example:

// allows for creation with name and phone fields
allow create: if request.resource.data.size() == 2
              && request.resource.data.keys().hasAll(['name', 'phone'])
              && request.resource.data.name is string
              && request.resource.data.phone is string;
// allows a single update adding the address field
// OR (||) in additional constraints
allow update: if request.resource.data.size() == resource.data.size() + 1
              && !('address' in resource.data)
              && request.resource.data.address is string;

More information here: https://firebase.google.com/docs/reference/rules/rules.Map