Why is Cloud Firestore not allowing access with Firebase Auth validation?

Question

I have a Cloud Firestore database with the following security rules:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
    match /data/{userId=**} {
        allow read: if request.auth.uid == userId;
    }
  }
}

I have a react app that is reading a single document with a realtime listener. I am getting the message "Uncaught Error in snapshot listener: FirebaseError: Missing or insufficient permissions."

If I print the user.uid to the console, it is correct. I have validated that the read is performed after the user is authenticated. The user.uid matches the "userId" document above.

If I change the Firestore security rules to the following, the read works without issue:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
    match /data/{userId=**} {
        allow read: if request.auth != null;
    }
  }
}

If it makes any difference, the user is signed in with the signInWithCustomToken method. With the rule change, it would appear that somehow the correct uid is not getting passed to the Firestore request, but I cannot see why. Has anyone had an issue like this?

Answer 1

as per the this part of the documentation

service cloud.firestore {
  match /databases/{database}/documents {
    // Make sure the uid of the requesting user matches name of the user
    // document. The wildcard expression {userId} makes the userId variable
    // available in rules.
    match /users/{userId} {
      allow read, update, delete: if request.auth != null && request.auth.uid == userId;
      allow create: if request.auth != null;
    }
  }
}

it should be {userID} instead of {userId=**} to be able to access the variable