Firebasecloud~5 mins

Authentication-based rules in Firebase - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you store data in Firebase, you want to control who can read or write it. Authentication-based rules let you allow only signed-in users to access certain data, keeping your app safe and private.

When you want only logged-in users to read their own profile data.

When you want to prevent anonymous users from writing data to your database.

When you want to allow users to update only their own records.

When you want to restrict access to certain parts of your database based on user login status.

When you want to secure your app data without building a separate backend.

Config File - firestore.rules

firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Allow read/write only if user is signed in
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
  }
}

This file sets rules for Firestore database.

rules_version specifies the rules syntax version.

service cloud.firestore targets Firestore.

match /users/{userId} applies rules to user documents.

allow read, write permits these actions only if the user is signed in (request.auth != null) and their user ID matches the document ID (request.auth.uid == userId).

Commands

This command uploads and activates your Firestore security rules to Firebase, enforcing your authentication-based access control.

Terminal

firebase deploy --only firestore:rules

Expected OutputExpected

=== Deploying to 'your-project-id'... ✔ Deploy complete! Project Console: https://console.firebase.google.com/project/your-project-id/overview Firestore rules deployed successfully.

→

--only firestore:rules - Deploys only Firestore security rules without affecting other Firebase services.

Starts the local Firestore emulator so you can test your authentication rules safely on your computer before deploying.

Terminal

firebase emulators:start --only firestore

Expected OutputExpected

i emulators: Starting emulators: firestore ✔ firestore: Emulator started at http://localhost:8080 ⚠ firestore: Authentication is not enforced in the emulator.

→

--only firestore - Starts only the Firestore emulator.

Runs tests against your Firestore rules using a test file to verify that authentication-based access works as expected.

Terminal

firebase firestore:rules:test --rules=firestore.rules --file=tests.json

Expected OutputExpected

Running Firestore rules tests... All tests passed successfully.

Key Concept

If you remember nothing else from this pattern, remember: authentication-based rules let only signed-in users access their own data securely.

Common Mistakes

Allowing read or write without checking if the user is signed in.

This lets anyone, even without login, access or change your data, risking security.

Always check that request.auth is not null before allowing access.

Not matching the user ID in the rule to the authenticated user's ID.

Users could read or write other users' data, breaking privacy.

Use request.auth.uid == userId to ensure users access only their own documents.

Deploying rules without testing them locally first.

Mistakes in rules can lock out users or expose data unintentionally.

Use the Firebase emulator to test rules before deploying.

Summary

Write Firestore rules that check if a user is signed in using request.auth != null.

Match document IDs to the authenticated user's ID to restrict access to their own data.

Deploy rules with 'firebase deploy --only firestore:rules' and test locally with the emulator.