I am trying to secure the backend for my app and I can't find a solution anywhere. The documentation isn't helping either.

I have 2 collections: users and usernames;

I want every user to have an unique username and they should be able to change it.

This is how my data looks:


These are my rules:

match /users/{uid} {
        allow write: if request.auth.uid != null && !exists(/username/$(resource.data.username));

match /username/{username} {
      allow write: if request.auth.uid != null;

I need to allow write in the usernames only if a username doesn't exist or if it's uid is the same as the authenticated user.

  • 1
    Could you enforce this logic in your application rather than the firestore rules? For example, query the data for the username being submitted to check if it exists before submitting a new username? – Dylan 6 mins ago
  • I can yes, but won't it be less secure that way? – ivan.vliza 4 mins ago
  • It doesn't look like there is a way to enforce uniqueness in firestore, but you may be able to accomplish it with cloud functions: stackoverflow.com/questions/47405774/… – Dylan 1 min ago

Your Answer


By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Browse other questions tagged or ask your own question.