1

I am trying to secure the backend for my app and I can't find a solution anywhere. The documentation isn't helping either.

I have 2 collections: users and usernames;

I want every user to have an unique username and they should be able to change it.

This is how my data looks:

users
 -user
   -username
username
 -uid

These are my rules:

match /users/{uid} {
        allow write: if request.auth.uid != null && !exists(/username/$(resource.data.username));
}

match /username/{username} {
      allow write: if request.auth.uid != null;
}

I need to allow write in the usernames only if a username doesn't exist or if it's uid is the same as the authenticated user.

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
ivan.vliza
  • 153
  • 3
  • 14
  • 1
    Could you enforce this logic in your application rather than the firestore rules? For example, query the data for the username being submitted to check if it exists before submitting a new username? – Dylan Sep 28 '18 at 15:17
  • I can yes, but won't it be less secure that way? – ivan.vliza Sep 28 '18 at 15:19
  • 1
    It doesn't look like there is a way to enforce uniqueness in firestore, but you may be able to accomplish it with cloud functions: https://stackoverflow.com/questions/47405774/cloud-firestore-enforcing-unique-user-names – Dylan Sep 28 '18 at 15:22

0 Answers0