Firestore security rules to allow users to query for a single document

0
votes

I have an email collection where any user (public) can add a new document with his email.

docID: {
  email: '[email protected]'
}

So right now my security rules for the email collection is:

match /email/{documentID} {
  allow read: if request.auth.token.admin == true;
  allow create: if true;
}

Because I don't want users being able to read other users' emails.

But I want the client code to able to query for the user's own email, in order to avoid duplicates in my DB. So I want my client code to able to do this:

const querySnapshot = await
props.firebase.firestore().collection('email').where('email', '==', email).get();

QUESTION

How should I write my security rules to achieve that behavior?

I don't want them to be able to query the full email collection.

1
firebasegoogle-cloud-firestorefirebase-security

1 Answers

2
votes

I don't think this is possible. Consider instead writing a Cloud Function that takes the email address as input, queries the email collection for it, then returns a boolean to the client indicating if it was present.

Note that this allows anyone to effectively query for any email address, not just "their own" (however you define that ownership).