How to restrict users to read/write the data based on phone number in Firebase rules

Question

Currently, I have implemented a project folder structure similar to the below

Project folder structure

I have added the Phone authentication in my code.

Now with the help of Firebase rules, I would like to restrict my users to access the child (Phone number 1) based on authenticated phone number.

For instance, if I log-in with phone number "9999999999" then I would like to restrict the user to access only the child of "9999999999" in Firebase rules.

Could you suggest me here to improve the security here.

Answer 1

You can access the phone number from the users auth object so using this you can do the limiting in security rules. Below are examples in Firestore, RTDB and Storage

Firestore

match /databases/{database}/documents {
    match /users/{phoneNumber} {
      allow read, write: if request.auth.token.phone_number == phoneNumber;
    }
}

Realtime Database

{
    "rules" : {
        "users" : {
            "$phoneNumber" : {
                ".read" : "request.auth.token.phone_number == $phoneNumber",
                ".write" : "request.auth.token.phone_number == $phoneNumber"
            }
        }
    }
}

Storage

service firebase.storage {
    match /b/{bucket}/o {
        match /users/{phoneNumber} {
            allow read, write: if request.auth.token.phone_number == phoneNumber;
        }
    }
}