Query Single Document Based on Single Field Firestore

0
votes

I have recently been working with React and Firebase to create a project where I would need to find specific documents in my collection based on their fields.

Currently, the only way to do this is by the following:

let ref = myFirebase.firestore().collection("Users");
let refQuery = ref.where('Token', '==', userUID);

This will give me the result I am looking for but in my rules I would have to allow my user to allow list or allow read for the collection Users. To my understanding, this will be a potential hazard because I'm allowing the user to go through all the users in my collection. Instead, I want to be able to keep my rules to only allow get so only the user can retrieve his own information but it won't work with my query code above.

Is there anyway I can change my React query code to be able to put my rules to only allow get for my user in my Users collection?

Here is a snippet from my rules that I want to implement:

match /Users/{UsersDoc} {
    allow create: if request.auth.uid != null;
    allow update, delete, get: if request.auth.uid == resource.data.Token;
}
1
firebasegoogle-cloud-firestorefirebase-security

1 Answers

1
votes

allow get only works for individual document gets, and not for queries.

What you have now is actually exactly what you want, except you just want to apply it to read access:

allow update, delete, read: if request.auth.uid == resource.data.Token;

This does not allow the user to "go through all the users", as you're suggesting. It forces the user to only query Users with the filter on Token that you require. Any other query that doesn't filter correctly on Token will be rejected. This is something that you should be able to test pretty easily.