We are building a mobile app and would like to use the firebase token id in the rules using ios sdk (as we do in the nodejs functions "admin.auth().verifyIdToken(firebaseIdToken)" )
Should we send the secured token itself in any way and use it in the rule itself or does firebase doing it for us? at the moment my rule is
allow read, update, delete: if request.auth != null && request.auth.uid == userId;
but I'm not sure if it's secured enough, does the ios sdk send the userId in the request or does it use the token and then Firestore translates it to uid?
