Learn Firebase security rule for the role checking in 5 minute
Firebase security rule is a rule that controlling data access for Firebase firestore and Firebase storage. We can easily to manage data accessing by a line of code without a backend server.
1 Understanding Two main operation in firebase security rule
There are Two major operation can be splitted into five sub-operation to control the data access: read and write
Read operation can also be splitted into two sub-operation:
- get ( determine whether the user can get a document )
- list ( determine whether the user can get a group of documents in a collection )
Write operation can also be splitted into three sub-operation:
- create ( determine whether the user can create a document )
- update ( determine whether the user can update the field in a document )
- delete ( determine whether the user can delete a document )
match /{document=**} {
allow read if true;
allow write: if false ;
}is equal to
match /{document=**} {
allow get: if true;
allow list: if true;
allow create if false;
allow update if false;
allow delete if false;
}2 understanding Three common way to check user permission
1 Use UID
Once a user is going to access our firestore data, their firebase auth object will also be passed to this security rule.
allow get: if request.auth != null ;
// It means only the logged user can be accessallow get: if request.auth.uid == "EuT6NHtlADYSB1GVMaqD40QXTao2";
// Only the user with uid "EuT6NHtl..." can be access this document.
In the example above, we hard-coded the which uid can access the document. However, in the real application, we won’t do that, since the application could contains different roles, each user can create their posts, comments, etc.
To solve this problem, we can create a new field called “createUserID” in each user created content . which is used to store who created this content.
allow get: if request.auth.uid == resource.data.createUserID ;
// In here, "resource.data" is referencing the document which the user going to access2 User profile document
To use this method, we need to create a document storing the role of that user.
allow get: if get(/databases/$(database)/documents/Member/$(request.auth.uid)).data.role == "administrator";// we can get the document inside the security role
// get(/databases/$(database)/documents/$(collection)/$(document)
// .data.role means get the field role inside the document
// check the field "role" is equal to "administrator"
Be aware that method, since firestore will get the full document when you use the “get” function, one more database request will be counted, and more checking time is required for the network traffic.
3 Firebase auth custom claims
using firebase auth custom claims to check role is the best practice. Firebase auth custom claims required to use Firebase Admin SDK or Firebase Cloud functions to set claims.
see this link to see how to “Create your first Firebase auth custom claim in nodejs”
After the custom claims is set, we can use
allow get: if request.auth.token.role == "administrator";to check the user role.
The benefit of using this method:
1 save the time required in requesting the user profile
2 more flexible
3 more security (since the token can only be changed from the backend)
In the next article, we will use the real world example to explain.
