How to validate data in security rules in firebase

FirebaseHow-ToBeginner · 4 min read

How to Validate Data in Firebase Security Rules

In Firebase security rules, you validate data by writing conditions inside allow statements using expressions like request.resource.data to check new data. Use built-in functions such as isString(), size(), and comparisons to ensure data meets your rules before allowing writes.

📐

Syntax

Firebase security rules use allow statements with conditions to control access. You validate data by checking request.resource.data, which holds the incoming data. Use expressions and functions to test data types, sizes, and values.

allow write: if condition; - allows write if condition is true.
request.resource.data.field - accesses a field in the new data.
Functions like isString(), isNumber(), size() help check data type and length.

firebase

service cloud.firestore {
  match /databases/{database}/documents {
    match /collection/{docId} {
      allow write: if request.resource.data.field is string
                     && request.resource.data.field.size() <= 50;
    }
  }
}

💻

Example

This example shows how to validate that a username field is a string between 3 and 20 characters and that an age field is a number greater than or equal to 13 before allowing writes.

firebase

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow create, update: if
        request.resource.data.username is string
        && request.resource.data.username.size() >= 3
        && request.resource.data.username.size() <= 20
        && request.resource.data.age is int
        && request.resource.data.age >= 13;
    }
  }
}

Output

Write allowed only if username is a string 3-20 chars and age is an integer >= 13.

⚠️

Common Pitfalls

Common mistakes include:

Not checking data types before accessing fields, causing errors.
Using resource.data instead of request.resource.data when validating new data.
Forgetting to check all required fields, allowing incomplete data.
Using incorrect functions or operators, like == instead of is for type checks.

firebase

service cloud.firestore {
  match /databases/{database}/documents {
    match /items/{itemId} {
      // Wrong: no type check, may cause errors
      allow write: if request.resource.data.name.size() > 0;

      // Right: check type before size
      allow write: if request.resource.data.name is string
                     && request.resource.data.name.size() > 0;
    }
  }
}

📊

Quick Reference

Use these common functions and checks in Firebase security rules:

Function/Check	Description	Example
is string	Checks if value is a string	request.resource.data.name is string
is int	Checks if value is an integer	request.resource.data.age is int
size()	Returns length of string or array	request.resource.data.name.size() <= 20
exists()	Checks if a document exists	exists(/databases/$(database)/documents/users/$(userId))
==, !=, <, >	Comparison operators	request.resource.data.age >= 13

✅

Key Takeaways

Always validate data types using 'is' before accessing fields.

Use 'request.resource.data' to check incoming data in write operations.

Combine multiple conditions to enforce strict data validation.

Test your rules with Firebase Emulator to catch errors early.

Avoid common mistakes like missing type checks or using wrong operators.