Firestore Security Rules: understanding match /databases/{database}/documents

Question

I am having trouble wrapping my head around match /databases/{database}/documents, in the security rules from the official documentation:

The match /databases/{database}/documents declaration specifies that rules should match any Cloud Firestore database in the project. Currently each project has only a single database named (default)

Correct me if I am wrong, if, currently, there is only one database per project, the latter being named default so would it be possible to replace {database} by {default} or default as in /databases/default/documents?

If not, why?

Also, following the "any" wildcard could we replace /databases/{database}/documents by /databases/{database=**}/documents?

If not, why?

Answer 1

if, currently, there is only one database per project, the latter being named default so would it be possible to replace {database} by {default} or default as in /databases/default/documents?

You would replace it with "(default)". There are no other strings that will work, currently.

Also, following the "any" wildcard could we replace /databases/{database}/documents by /databases/{database=**}/documents?

No, that will not work. The recursive wildcard syntax you're referring to only works for matching paths of documents when referring to collections and documents.

Currently, there is no real value in saying anything other than "/databases/{database}/documents" as the prefix of the match. There can be only one database per project. While the rules allow for the concept of more, in practice, there is never any more. That is not likely to change any time soon.

If you have feedback about the rules system, feel free to report that to Firebase support directly.