firebasegoogle-cloud-firestorefirebase-authenticationfirebase-security

Does Firebase security rules language support variable prop name?


I have a Firebase Auth custom claim that look like this:

{
  "orgRoles": {
    "my-org-1": "member",
    "my-org-2": "owner",
    "my-org-3": "admin"
  }
}

Now I want to access it from Firestore Security Rules, kinda like so:

match /organizations/{orgId} {
  allow write if: req.auth != null && (req.auth.token.claims.$(orgId) == "admin" || req.auth.token.claims.$(orgId) == "owner")
}

But this doesn't seem to work. Is there actually a way to do this? I am currently storing custom claims in Firestore as well as Firebase Auth.


Solution

  • It's definitely possible to use custom claims in security rules. You're just using the wrong syntax for indexing into the custom claim map using a variable. You're also using the wrong map. The object request.auth.token contains a Map of custom claims, as described in the documentation.

    Firstly, take a look at some similar questions:

    The documentation for Map shows how to index it with both a variable (using square brackets []) and a named property (using .). This is just like JavaScript. If you have a variable orgId to index into the map request.auth.token.orgRoles, then your rule would look like this:

    match /organizations/{orgId} {
      allow write if: req.auth != null && (req.auth.token.orgRoles[orgId] == "admin" || req.auth.token.orgRoles[orgId] == "owner")
    }