Restricting allowed keys in Firebase

Question

Is there a way to only allow (but not require) keys in a Firebase object? I know you can use .validate to ensure that an object has certain keys. Is it possible to only allow certain keys, in a whitelist of sorts? If not, it seems like this would be a great way for unwanted/unnecessary data to make it into the database from malicious clients.

Answer 1

You can use Firebase's $ variables to disallow all non-specified children. From the Firebase guide on securing your data, comes this example:

{
  "rules": {
    "widget": {
      // a widget can have a title or color attribute
      "title": { ".validate": true },
      "color": { ".validate": true },
      // but no other child paths are allowed
      // in this case, $other means any key excluding "title" and "color"
      "$other": { ".validate": false }
    }
  }
}

So the widget node can have a color and/or a title property. But if it has any other properties, it will be rejected.

So these are all valid according to these security rules:

ref.child('widget').set({ title: 'all is blue' });
ref.child('widget').set({ color: 'blue' });
ref.child('widget').set({ title: 'all is blue', color: 'blue' });

But these are invalid according to the rules above:

ref.child('widget').set({ titel: 'all is blue' });
ref.child('widget').set({ title: 'all is blue', description: 'more...' });