To lock down your database so users can only access their own data, you’ll need to adjust your rules to target individual user nodes specifically. Here’s the updated, secure rule set:

{
  "rules": {
    "$userId": {
      // Restrict read/write to only the authenticated user matching the node's ID
      ".read": "auth != null && auth.uid === $userId",
      ".write": "auth != null && auth.uid === $userId"
    },
    // Block direct access to root or non-user paths as a safety net
    ".read": false,
    ".write": false
  }
}

Key Breakdown: #

• $userId wildcard: This acts as a variable that matches any child node under the root (which should be your users' unique IDs). It lets us compare the node’s key to the logged-in user’s UID.
• auth != null: Ensures only logged-in users can perform any operations—guests get no access at all.
• auth.uid === $userId: The critical security check: it verifies the current user’s Firebase Auth UID exactly matches the node’s key (their user ID). This guarantees users can’t peek into or modify others’ data.
• Root-level false rules: Blocks direct access to the root directory or any paths that aren’t individual user nodes, adding an extra layer of protection against unintended access attempts.

Quick Tips: #

• Double-check your database structure: User data should live directly under the root with each user’s ID as the node key (e.g., /user_123/profile, /user_456/settings).
• If you’re using a custom user ID (not Firebase Auth’s uid), replace auth.uid with the relevant field from the auth token (like auth.token.email or a custom claim you’ve set).
• Test with the Firebase Console’s Rule Simulator: Simulate authenticated requests with different UIDs to confirm users can only access their own data.

内容的提问来源于stack exchange，提问作者smcroissant