Firebase auth database rules

Question

I am working on the app that I need to connect to the dev firebase. This firebase has database rules as follows:

"rules": {
    // no read access at root level
    ".read": "auth.uid === 'emailaddressgmailcom'",
    ".write": false,

What I cannot understand is how auth.uid is specified to be an exact email address? As far as I tried I only get unique uid provided by Google. (set of numbers and letters) Hence I can never pass the auth to read from the database, unless I specify my exact uid given by Google in the databse rules, which is not an option because there will be another user who needs an access to db and I do not know his uid.

Renaud Tarnec Renaud Tarnec · Accepted Answer · 2020-06-05T10:41:56

auth is one of the predefined variables.

By doing auth.uid, you get the user id ("guaranteed to be unique across all providers").

You need, in your Security Rules to use it to defined the access rights of a given user to one or more given resources, as explained here in the doc.

You could compare it to a fixed value, if a certain resource shall be read by a unique user:

".read": "auth.uid === 'HGH656675FHGFGHF3454'"

but usually you compare it to some parts of the path of the node/resource you want to protect, like for example:

{
  "rules": {
    "users": {
      "$user_id": {
        // grants write access to the owner of this user account
        // whose uid must exactly match the key ($user_id)
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

This is how you should do to solve your problem "there will be another user who needs an access to db and I do not know his uid".

I would suggest you read the entire section about RTDB Security Rules form more details: https://firebase.google.com/docs/database/security

Firebase auth database rules

2 Answers