Firebasecloud~30 mins

Authentication-based rules in Firebase - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Firebase Authentication-Based Security Rules

📖 Scenario: You are building a simple Firebase Firestore database for a small app where users can save personal notes. Each user should only be able to read and write their own notes. You will create security rules that check the user's authentication ID to enforce this.

🎯 Goal: Create Firebase Firestore security rules that allow authenticated users to read and write only their own documents in the notes collection. Each document's ID matches the user's UID.

📋 What You'll Learn

Create a notes collection where each document ID is the user's UID

Allow read and write access only if the user is authenticated

Allow read and write access only if the document ID matches the authenticated user's UID

💡 Why This Matters

🌍 Real World

Firebase security rules protect user data by ensuring only authorized users can access or modify their own information.

💼 Career

Understanding authentication-based rules is essential for cloud engineers and developers working with Firebase or similar backend services to secure applications.

Progress0 / 4 steps

Define the notes collection in Firestore rules

Write the initial Firestore rules structure with a match block for the notes collection using match /notes/{userId}.

Firebase

// Define Firestore rules with a match block for notes collection
service cloud.firestore {
  match /databases/{database}/documents {
    // Your code here
  }
}

Need a hint?

Start by writing match /notes/{userId} inside the match /databases/{database}/documents block.

Add authentication check variable

Inside the match /notes/{userId} block, create a variable called isSignedIn that checks if request.auth != null.

Firebase

service cloud.firestore {
  match /databases/{database}/documents {
    match /notes/{userId} {
      // Define isSignedIn variable here
      // Your code here
    }
  }
}

Need a hint?

Use let isSignedIn = request.auth != null; to check if the user is signed in.

Add rule to allow access only if user is authenticated and owns the document

Replace the allow read, write: if false; line with a rule that allows read and write only if isSignedIn is true and request.auth.uid == userId.

Firebase

service cloud.firestore {
  match /databases/{database}/documents {
    match /notes/{userId} {
      // Update allow rule here
      // Your code here
      let isSignedIn = request.auth != null;
    }
  }
}

Need a hint?

Use allow read, write: if isSignedIn && request.auth.uid == userId; to restrict access.

Complete the Firestore security rules

Ensure the full Firestore security rules include the service cloud.firestore block, the match /databases/{database}/documents block, and the match /notes/{userId} block with the authentication-based access rule.

Firebase

service cloud.firestore {
  match /databases/{database}/documents {
    match /notes/{userId} {
      // Finalize rules here
      // Your code here
      let isSignedIn = request.auth != null;
      allow read, write: if isSignedIn && request.auth.uid == userId;
    }
  }
}

Need a hint?

Make sure all parts of the rules are included and correctly nested.