Tutorial: Using rules to control authentication

Step by stepSecurity Using rules to control authentication

[[service]] gives you full control over user authentication. Login providers are server-side components that authenticate your users. Choose a built-in login provider for a common authentication use case, or build your own custom login provider to address special login needs.

No matter how you authenticate your user, this action defines the auth variable in your Security and [[service]] rules. This variable contains the user's auth payload, which includes that user's unique identifier (uid), and the name of the provider they logged with:

Field Description Type
uid A unique user ID, intended as the user's unique key across all providers. String
provider The authentication method used, in this case: password. String

Built-in providers also add provider-specific fields to auth, such as the user's name. If you implement a custom login provider, you can add your own fields to your user's auth payload.

Typically, you'll store all of your users in a single users node whose children are the uid values for every user. If you wanted to restrict access to this data such that only the logged-in user can see their own data, your rules would look something like this:

{
  "rules": {
    "users": {
      "$uid": {
        // grants write access to the owner of this user account whose uid must exactly match the key ($uid)
        ".write": "auth !== null && auth.uid === $uid",
        // grants read access to any user who is logged in with an email and password
        ".read": "auth !== null && auth.provider === 'password'"
      }
    }
  }
}