Fixed Variables and Context Objects

33 Fixed Variables and Context Objects

This chapter introduces the core variables and context objects available within Oracle Backend for Firebase security rule expressions. These are the building blocks for writing dynamic, data-aware access policies that respond to both the incoming request and the stored resource.

Parent topic: Security Rules

33.1 Request Context

Authentication context describes application user details The request object represents the incoming client request. It contains metadata about the user, the operation being performed, and the data being submitted.

request.auth

request.auth describes the authenticated user making the request. Available fields include:

Field	Description
`user_id`	Unique id assigned by Oracle Backend for Firebase Authentication service
`user_displayName`	Users display name in format <FirstName> <LastName>
`sub`	Subject identifier (same as user's email address using which user registered to the application)
`iat`	Token issued timestamp
`eat`	Token expiry timestamp
`uid`	Same as `user_id`.
`email`	Email address
`email_verified`	Indicates whether the user's email address is verified "true"/"false"
`scope`	Access scope (scope as defined by Oracle Backend for Firebase Service)
`query`	`limit`: Number of documents queried by the client <Number>
`token`	`email`: User's email address via which user registered to the application `email_verified`: Indicates whether the user's email address is verified "true"/"false" `name`: Users display name in format <FirstName> <LastName>
`time`	Time stamp will be in ISO 8601 UTC format.
`path`	Collection or document path in string format "/user/user123/recipes"
`path_arr`	Collection or document path in array format eg: ["user","user123","recipes"]
`method`	valid values are `get`/`list`/`update`/`create`/`delete`
`resource`	`data`: Contains client given data/document
`idp_type`	Identity provider type (`BASE`, `LDAP`, `IDCS`)

request.resource.data

request.resource.data represents the data being submitted in the request. This is used to validate fields before creation or update. For example:

request.resource.data.isPublic == true

request.time

request.time is the timestamp of the request in ISO 8601 UTC format. It is useful for time-based rules. For example:

request.time.year() == 2025

request.path and request.path_arr

request.path: Full path string (For example, /users/user123/recipes)
request.path_arr: Path as array segments (For example, ["users", "user123", "recipes"])

request.method

request.method represents the operation being performed: get, list, create, update, or delete.

Parent topic: Fixed Variables and Context Objects

33.2 Resource Context

The resource object represents the existing data stored in the backend. It is used to compare against the request data for conditional access.

resource.data

resource.data contains the persisted document or file data. For example:

resource.data.uuid == request.auth.uid

This is commonly used to enforce owner-only access or validate stored flags like isPublic.

Parent topic: Fixed Variables and Context Objects

33.3 Additional Fixed Variables

These variables are available globally within rule expressions:

Variable	Description
`time`	Current server time (ISO 8601 UTC)
`method`	Operation type (such as `get`, `list`)
`path`	Full path string
`path_arr`	Path as array segments

Parent topic: Fixed Variables and Context Objects

33.4 Example Usage

The following examples demonstrate some common usages of rules.

Example 33-1 Owner-Only Update:

match /users/{userid}/recipes/{recipeid} {
  allow update: if request.auth.uid == resource.data.uuid;
}

Example 33-2 Restrict Creation Based on Request Data

match /posts/{postId} {
  allow create: if request.resource.data.isPublic == true;
}

Example 33-3 Time-Based Access

match /reports/{reportId} {
  allow get: if request.time.month() == 11;
}

Parent topic: Fixed Variables and Context Objects