Firebase - how to restrict authenticated user's access to certain paths?

Question

Simple enough question:

How do I restrict paths, such as...

/orders/<userid>

/cart/<userid>

/transactions/<userid>/txid

...only to users whose userid matches the one in the path?

I have authentication set up and I need to subscribe to some of these in Vue after firebase.auth().onAuthStateChanged

It appears, as per the docs here, that in the following rule example, the user token must match the key exactly:

{
  "rules": {
    "users": {
      "$user_id": {
        // grants write access to the owner of this user account
        // whose uid must exactly match the key ($user_id)
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

Does this mean that, /orders/123456/order123478 will be restricted and only available to user 123456 ?

Answer 1

For the realtime database, update your rules to something like this:

{
  "rules": {
    "orders": {
      "$uid": {
        ".read": "auth.uid == $uid",
        ".write": "auth.uid == $uid"
      }
    }
  }
}

The $uid key represents any key nested at that level and allows you to reference it in your rules. The auth variable is provided by Firebase and contains details about the authenticated user who issued the request, so you can compare the requesting user's uid with the database's uid key and grant permissions if they match (the nested ".read" and ".write" values).

So for a user who's uid is user1 , they would have access to the following data:

{
  "orders": {
    "user1": {
      "order1": read/write,
      "order2": read/write
    },
    "user2": {
      "order1": no access,
      "order2": no access
    },
    "user3": {
      "order1": no access,
      "order2": no access
    },
}

Read the documentation and play around with the simulator found in the Rules section of the Firebase dashboard.