Firestore security rule not working

0
votes

I have the following rule in my Firestore

service cloud.firestore {
      match /databases/{database}/documents {
        match /users/{userId}/{documents=**} {
          // Only the authenticated user who authored the document can read or write
          allow read: if request.auth.uid == userId;
          allow write;
        }
      }
    }

which doesn't seem to work and i am using Rest API to get the data For authentication I call: https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=[API_KEY]

Once authenticated we get the idToken and pass as Authorization header for the next URL https://firestore.googleapis.com/v1beta1/projects//databases/(default)/documents/users

The users collection has the id as the document name and the value is just a bunch of dummy keys.

When I run the client the error I get is

{u'status': u'PERMISSION_DENIED', u'message': u'Missing or insufficient permissions.', u'code': 403}

If i hardcode the value of the userid it works. So the value returned in {userid} does not seem to match the UID for some reason.

Can someone please help decode why this is happening?

Thanks Rams

1
firebasegoogle-cloud-firestorefirebase-security

1 Answers

1
votes

you don't need the document=** selector

service cloud.firestore {
  match /databases/{database}/documents {
    // dissallow all access
    match /{documents=**} {
      allow read, write: if false;
    }

    // Make sure the uid of the requesting user matches name of the user
    // document. The wildcard expression {userId} makes the userId variable
    // available in rules.
    match /users/{userId} {
      allow read, update, delete: if request.auth.uid == userId;
      allow create: if request.auth.uid != null;
    }
  }
}

https://firebase.google.com/docs/firestore/security/rules-conditions