0
0
FirebaseHow-ToBeginner · 3 min read

How to Allow Authenticated Users Only in Firebase

To allow only authenticated users in Firebase, enable Firebase Authentication and write security rules that check request.auth != null. This ensures only signed-in users can read or write data.
📐

Syntax

Firebase security rules use request.auth to check if a user is signed in. The key check is request.auth != null, which means the user is authenticated.

Example rule parts:

  • allow read, write: defines permissions.
  • if request.auth != null; allows access only if user is signed in.
firebase
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}
💻

Example

This example shows a Firestore security rule that allows only authenticated users to read and write any document in the database.

firebase
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}
Output
If a user is signed in, they can read and write data; otherwise, access is denied.
⚠️

Common Pitfalls

Common mistakes include:

  • Not enabling Firebase Authentication in the Firebase Console.
  • Writing rules without request.auth != null, which allows public access.
  • Forgetting to deploy updated security rules after changes.

Always test your rules using the Firebase Emulator or the Rules Playground.

firebase
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      // Wrong: allows anyone to read and write
      allow read, write: if true;

      // Right: restrict to authenticated users
      allow read, write: if request.auth != null;
    }
  }
}
📊

Quick Reference

Rule PartDescription
request.auth != nullUser must be signed in
allow read, write: if request.auth != null;Allow read/write only for authenticated users
allow read: if false;Deny all reads
allow write: if false;Deny all writes

Key Takeaways

Enable Firebase Authentication to identify users.
Use security rules with 'request.auth != null' to restrict access.
Always test your rules before deploying.
Deploy updated rules after any change.
Avoid using 'allow read, write: if true;' to prevent public access.

Related by keyword

Is Firebase Free? Understanding Firebase Pricing and LimitsGetting StartedFirebase vs AWS Amplify: Key Differences and When to Use EachGetting StartedFirebase vs MongoDB: Key Differences and When to Use EachGetting StartedFirebase vs Supabase: Key Differences and When to Use EachGetting StartedHow to Add Firebase to Android App: Step-by-Step GuideGetting Started

Up next

What is Firestore Cache: Explanation and UsageWhat is Subcollection in Firestore: Explained SimplyHow to Delete Data in Firebase Realtime Database EasilyHow to Read Data from Firebase Realtime Database

More in Firestore Security Rules

Common Security Rules Patterns in Firebase: Best PracticesHow to Allow Owner Only Access in Firebase: Simple GuideHow to Set Rules for Subcollection in Firebase Security RulesHow to Test Security Rules in Firebase: Step-by-Step Guide