How to allow access to a specific field inside of one that requires auth uid, firebase database rules

Question

I want to allow access to user name so other users can search uses by user name.

I have a search feature in my app that allows users to search other users by user name

Firebase Rules

{
  "rules": {
    "users": {
      "$uid": {
        // Allow only authenticated content owners access to their data
        ".read": "auth.uid != null",
        ".write": "auth.uid != null"
      },

    },
    "chat": {
      "messages": {
        ".write": true,
        ".read": true
      }
    },
    "app-settings": {
      ".write": true,
      ".read": true
    }
  }
}

Here is JSON of users

{
  "app-settings" : {
    "app-Available" : true,
    "version" : "4"
  },

  "users" : {
    "uid" : {
      "blocked" : false,
      "email" : "gamatiaihab@gmail.com",
      "profilePhotoUrl" : "https://lh3.googleusercontent.com/a-/AOh14Gi6eXrdLfZTQH0B7GvoTxhqBHoVFUUTibK3QKfrfA=s96-c",
      "uid" : "uid",
      "userName" : "gamatiaihab"
    }

  }
} 

In my app, I have a feature that allows the user to change their user name, with this code I'm trying to validate the user name checking if it's takin by other user or not, I normally access the single user information by child(uid) this works if firebase rules are only configured for authenticated users, but in order to validate the user name I need to not order the by child(uid) because this will return only single user which is the current user, I need to order by child("users").orderBy("userName") and this returns PERMISSION DENIED because i didn't pass child(uid)

  private void validateUserName(final String chatUserName){
        mEditChatUserNamePr.setVisibility(View.VISIBLE);
        mDb = FirebaseDatabase.getInstance().getReference().child("users");
        mDb.orderByChild("userName")
                .equalTo(chatUserName)
                 .addListenerForSingleValueEvent(new ValueEventListener() {
            @Override
            public void onDataChange(@NonNull DataSnapshot dataSnapshot) {
                if (dataSnapshot.getValue() != null){
                    mEditChatUserNamePr.setVisibility(View.GONE);
                    mChatUserNameInput.setError("User name not available");
                }else {
                    updateUserName(chatUserName);

                }


            }

            @Override
            public void onCancelled(@NonNull DatabaseError databaseError) {

            }
        });
    } 

Answer 1

A user either has access to a complete node, or they don't have access to the node at all. There is no way to give them access to only part of each child node.

But even if there was, your code would have a problem: another user might claim the name between the time your query runs, and you write the new user name to the database. And while this problem may seem unlikely in your testing, in a successful app this type of problems (known as a race condition) is guaranteed to come back and bite you.

The idiomatic (and only guaranteed) way to implement uniqueness is to use the thing that must be unique as the keys in a list in the database. So in your case that'd mean:

1. Creating a list of usernames, with each key being a username, and each value being the UID of the user with that username.
2. Using a transaction to ensure no two users are updating the same node at the same time.
3. Using security rules to ensure that nobody can overwrite a username that was claimed by another user already.

Instead of repeating more here, let me point you to some previous questions where this was covered in more detail:

• Firebase android : make username unique
• How do you prevent duplicate user properties in Firebase?
• unique property in Firebase
• Firebase security rules to check unique value of a child #AskFirebase