How to validate the email address in Firebase ssecurity rules
Question
I have been saving user data under a reference ID, and some user info containing email address. I want to make the data available, but prevent people guessing ID's and seeing if there is info behind it.
I only want to give the data if they provide me the ID AND the email address they registered with.
So I have this data stored in Firebase:
{ "data" : {
"ms12345678" : {
"name" : "John Doe",
"age" : 40,
"email" : "johndoe@domain.com"
}
}
So doing var ref = firebase.database().ref("data/ms12345678") should fail, unless I provide johndoe@domain.com as well.
I am not sure what approach I should take here. I don't want users to authenticate, but provide them with a link.
1 answers
solution1
5 ACCPTED 2016-09-09 12:39:12
You can verify that the accounts email address matches that value with:
{
"rules": {
"data": {
"$uid": {
".read": "auth.token.email === data.child('email').val()"
}
}
}
}
See the documentation on auth.token for a list of the properties available.
Alternatively you can require that the user knows the email address. To do this, embed the email address into the path of a user:
{ "data" : {
"ms12345678" : {
"johndoe@domain,com": {
"name" : "John Doe",
"age" : 40,
"email" : "johndoe@domain.com"
}
}
}
With this, you can restrict read-access to people that know the full path:
{
"rules": {
"data": {
"$uid": {
"$email: {
".read": "auth.uid === $uid"
}
}
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.