“auth” Rule Variable

Firebase 'auth' payload

Firebase allows you to easily authenticate to several built-in providers and will generate auth tokens for them. After a user is authenticated with one of the built-in providers, the auth variable will contain the following:

Field Description
provider The authentication method used ("password", "anonymous", "facebook", "github", "google", or "twitter").
uid A unique user id, guaranteed to be unique across all providers.

As an example, we could have a rule like the following to allow users to create comments as long as they store their user ID with the comment:

{
  "rules": {
    ".read": true,
    "$comment": {
      ".write": "!data.exists() && newData.child('user_id').val() == auth.uid"
    }
  }
}

We could also make a rule like the following to allow users to create comments as long as they are signed in using Facebook:

{
  "rules": {
    ".read": true,
    "$comment": {
      ".write": "!data.exists() && auth.provider == 'facebook'"
    }
  }
}

Custom 'auth' payload

If you generated the token using one of our Token Generator Libraries, the contents of auth will be whatever JSON you passed to createToken(). For example if you created a token using the following snippet:

var FirebaseTokenGenerator = require("./firebase-token-generator-node.js");
var tokenGenerator = new FirebaseTokenGenerator("YOUR_FIREBASE_SECRET");
var token = tokenGenerator.createToken({ "uid": "1234", "isModerator": true });

Then you could use auth.uid and auth.isModerator inside your rule expressions. For example, the following rules give users the ability to create comments with their own user ID as well as give moderators the power to modify any user's comments:

{
  "rules": {
    ".read": true,
    "$comment": {
      ".write": "(!data.exists() && newData.child('user_id').val() == auth.uid) || auth.isModerator == true"
    }
  }
}