'Firebase Realtime Database Rules checking for array contains

My auth token includes a stores property. This property is an Array that includes ID's of all stores the user is allowed to access. For example: stores: ['abc123', 'def456'].

Now, in my Firebase Realtime Database, I am saving store specific data like this:

{
  "stores": {
    "abc123": {
      "data": "mydata"
    },
    "def456": {
      "data": "mydata"
    }
  }
}

Users are allowed to access the realtime database data if their stores property array includes the storeID specific data they want to access.

What I would like my rules to look like:

{
  "rules": {
    "stores": {
      "$store_id": {
        ".read": "auth.token.stores.includes($store_id)"
      }
    }
  }
}

This is not possible. I get the following error:

Error saving rules - line 5: type error: function call on target that is not a function.

Is it possible to search trough token property arrays in the firebase rules or will I have to use an object? Thanks for any answers!

firebasefirebase-realtime-databasefirebase-security


Solution 1:[1]

Firebase Realtime Database does not have any includes() to check if a value if present in an array or not. You can store the claims as a map instead of an array as shown below:

// custom claims
{
  stores: {
    store1: true,
    store2: true,
    store3: false
  }
}

Then you can use the following rules to check if user has access to a particular store or no:

{
  "rules": {
    "stores": {
      "$store_id": {
        ".read": "auth.token.stores[$store_id] == true"
      }
    }
  }
}

Solution 2:[2]

You can use in operator from List

v in x
Check if value v exists in list x.

'a' in ['a','b'] == true

Sample Security Rules how it can be done

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      
      match /stores/{storeId} {
        allow read: if isAuthenticated() && isUserAllowed();
      }
      
      function isAuthenticated() {
        return request.auth != null;
      }

      function isUserAllowed() {
        return request.auth.uid in resource.data.stores
      }

    }
  }
}

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Dharmaraj
Solution 2 Min ho Kim

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

How to set up Firebase Push Notification with Deep Link with Unity3D

Xcode build is missing expected TARGET_BUILD_DIR build setting

How to get TypeScript to recognize firebase import

FirebaseMessagingService Illegal Access

How do I access data from a top-level document in a Cloud firestore trigger with Cloud functions?

Firebase push notifications stops working after some time for all users in my Flutter app. Is this correct flutter fcm implementation?

Firebase deploy node modules issue

React-router did not work on production

In new Firebase, how to use multiple config file in xcode?

Flutter Firebase foreground push notification not showing but background is working

Datatables search, filter, and export with Firebase

Can't fill array with firestore data

"No such module 'Firebase'" when add Firebase into a library

FCM notification not retrieve when app is closed