Firebase security: find other users via email


Let's say we have these data in Firebase.

usersMail - "example1@mail.com": "1" - "example2@mail.com": "2" - "example3@mail.com": "3"

Is there anyway for user1 to query his own list of emails to look up his friends who are using the application without setting usersMail to be iterable by all users?

If this isn't possible in Firebase, would I have to set up a server with an admin account to do the querying? Still very new to the back-end stuff so I appreciate the help!


So the question is: two users exist in Firebase, uid_0 and uid_1, and we need the ability for uid_0 to search for uid_1 by email.

However, we want to prevent other users from iterating over the users node.

The answer is no. This cannot be done. To query a users node for another user by email, a user would have to have access to each of the users within that node.

There may be another option however. Suppose uid_1 (doug) knows that uid_0 (bob) wants to find him and add him as a friend.

users uid_0: email: bob@greatwhitenorth.com uid_1: email: doug@greatwhitenorth.com

and then a node that links users together, in this case doug knows bob will be looking for him, we include doug's uid so when bob reads the node it will be included in the child data

email_finder doug@greatwhitenorth.com bob@greatwhitenorth.com: true uid: uid_1

and rules to limit access

rules for email_finder node $email read: root.child('email_finder').child($email) .child( root.child('users').child(auth.uid).child('email').val ) .val = true

If I typed that correctly,


should retrieve the current users email from the users node, in this case bob@greatwhitenorth.com, so call that X


.child($email).child(X).val = true

to ensure that the email = true (exists) within the doug node

Then a direct observe would return the node containing the uid

let thisUserRef = emailFinderRef.childByAppendingValue("doug@greatwhitenorth.com") thisUserRef.ObserveEventOfType(.Value...... { //capture the aid }

You would also want a Rule on the users node that only allows a user to read their own node as well.

This is totally untested and possible even totally wrong but may give you a direction of a possible solution.


