Create a document only if it doesn't exist in Firebase Firestore

Question

What I am trying to achieve is very simple. I need to create a user entry in the database only if it doesn't exist.

The app flow:

Create a user with Firebase Auth (obtain UID)
Create a user document in the database using UID as the key

The client code (create operation):

this.db.doc('users/' + uid).set({username: Santa})

The firestore rules:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{uid} {
      allow create: if 
        request.auth != null && 
        request.auth.uid == uid && 
        !exists(/databases/$(database)/documents/users/$(uid));
      allow update: if request.auth != null && request.auth.uid == uid; 
    }
  }
}

Additional info:

As you may already know the code doesn't work. Everytime I run the client-side code the current user is completely replaced with a new document. However, if I delete the following line from the rules everything works as expected:

allow update: if request.auth != null && request.auth.uid == uid;

But now the question arises, how do I secure data inside user document from unauthorised modifications? Any advice?

I would consider using firebase functions for this - instead of the client modifying the users collection. There is an "auth" trigger, that lets you do stuf when a new user is created. — DauleDK, Oct 26 '17 at 09:09

score 12 · Accepted Answer · edited Mar 08 '19 at 19:10

If you want to allow creating a document only if it doesn't already exist, just use the allow create rule that you already have. Because you also have an allow update rule, updating the existing data is also allowed.

The following rules should be sufficient:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{uid} {
      allow create: if request.auth != null && request.auth.uid == uid;
    }
  }
}

You don't need the exists() call, because allow create only applies if the data does not exist.

Now to your question: You should clarify what you mean exactly. Now only the authenticated user can modify its own record. If you don't want to allow arbitrary data to be written, check for it.

Here are some examples: https://firebase.google.com/docs/firestore/security/rules-conditions#authentication

The provided link is no long valid try this one: https://firebase.google.com/docs/reference/security/storage/ — Jessy, Dec 01 '18 at 14:36

score 2 · Answer 2 · answered Nov 17 '17 at 11:06

Use logic in your code, but not in rules. Add addOnCompleteListener to user collection and after get the result do some actions.

getUsers.document(userUID).get().addOnCompleteListener(new OnCompleteListener<DocumentSnapshot>() {
@Override
public void onComplete(@NonNull Task<DocumentSnapshot> doc) {
     if(!doc.getResult().exists()){
        //add new user
    }
}

}

Rules:

match /UsersProfile/{document=**} {
  allow read, write: if request.auth != null;
}

Agree with relying on code, not on security rules for logic. — jamix, Sep 06 '19 at 16:20

forresthopkinsa · Answer 3 · 2021-08-09T06:29:49.110

2

You can now accomplish this with the create method:

create(data) → {Promise.<WriteResult>}

Create a document with the provided object values. This will fail the write if a document exists at its location.

DocumentReference.create

It can also be done even more nicely with Transactions:

create(documentRef, data) → {Transaction}

Create the document referred to by the provided DocumentReference. The operation will fail the transaction if a document exists at the specified location.

Transaction.create

edited Aug 09 '21 at 06:29

answered Aug 09 '21 at 06:13

forresthopkinsa

1,339
1
24
29

Looks like they have removed the create method from the new API... – David May 16 '22 at 23:35

score 0 · Answer 4 · answered Feb 11 '20 at 01:30

I had use this and it worked. Basically I make sure the user is logged in by request.auth != null and then I check to see if the resource requested is null. If the resource already exists, then it means the user exists.

I added in the allow update in case you wanted only the user to change their own data.

match /users/{document} {
      allow create: if request.auth != null && resource == null;
      allow update: if request.auth != null && request.auth.uid == resource.data.author_uid;
}

score 0 · Answer 5 · answered Jun 25 '22 at 20:22

Below code creates document only if not existing else throws an exception

DocumentReference reference = db.collection("ordersCollection").document(userId);
    try {
        ApiFuture<WriteResult> future = reference.create(userPojo);
        System.out.println("Update time : " + future.get().getUpdateTime());
        System.out.println("created entity "+userPojo.getUserId());
    } catch (InterruptedException | ExecutionException e) {
        throw new RuntimeException(e);
    }

score -1 · Answer 6 · answered Nov 11 '17 at 18:22

-1

this.db.doc('users/' + uid).set({username: Santa}, {merge: true}) It should merge and not replace. Fields omitted will remain untouched. https://firebase.google.com/docs/reference/js/firebase.firestore.DocumentReference#set

answered Nov 11 '17 at 18:22

Joris Calvat

1
1

Create a document only if it doesn't exist in Firebase Firestore

6 Answers6

`create(data) → {Promise.<WriteResult>}`

`create(documentRef, data) → {Transaction}`

Linked