Tutorial: Using rules to control authentication

Serverless DatabaseSecurity Rules Using rules to control authentication

Webcom provides many means for authenticating end users on your applications. In usual settings, security rules aim at granting read or write permissions depending on the authenticated user. On this purpose, the JavaScript expressions implementing security rules are provided with the auth variable, which contains a JSON object representing the authentication details of the authenticated user at the time of the read or write operation.

This JSON object contains exactly the fields explained in the “Authentication State” chapter. The most usual ones are:

Field Description Type
uid A unique user ID across all providers, which identifies the user's Webcom account for the application. String
provider The authentication method used (for example: "password"). String

Typically, you are likely to store all of your users in a single users node whose children are the uid values for each user. If you want to restrict access to this data such that only the logged-in user can see their own data, your rules will look something like this:

{
  "rules": {
    "users": {
      "$uid": {
        // grants write access to the owner of this user account whose uid must exactly match the key ($uid)
        ".write": "auth !== null && auth.uid === $uid",
        // grants read access to any user who is signed in with the email/password method
        ".read": "auth !== null && auth.provider === 'password'"
      }
    }
  }
}