I've been trying to come up with a flat data structure for Firebase Database (as is recommended) and afterwards, a set of rules to control access correctly. My example is trying to demonstrate how you'd lock down/allow access to a db which is multi-tenanted across different organizations.
My first attempt was something like this:
Database structure: https://gist.github.com/peteski22/40b0a79a6854d7bb818919a5262f4a7e
{
"admins" : {
"8UnM6LIiZJYAHVdty6gzdD8oVI42" : true
},
"organizations": {
"-JiGh_31GA20JabpZBfc" : {
"name" : "Comp1 Ltd"
},
"-JiGh_31GA20JabpZBfd" : {
"name" : "company2 PLC"
}
},
"users" : {
"8UnM6LIiZJYAHVdty6gzdD8oVI42": {
"firstName" : "Peter",
"lastName" : "Piper",
"email" : "peter.piper#testtest.com",
"organization" : ""
},
"-JiGh_31GA20JabpZBfe" : {
"firstName" : "Joe",
"lastName" : "Blogs",
"email" : "joe.blogs#co1.com",
"organization" : "-JiGh_31GA20JabpZBfc"
},
"WgnHjk5D8xbuYeA7VDM3ngKwCYV2" : {
"firstName" : "test",
"lastName" : "user",
"email" : "test.user#google.com",
"organization" : "-JiGh_31GA20JabpZBfd"
}
},
"employees" : {
"-JiGh_31GA20JabpZBeb" : {
"organization" : "-JiGh_31GA20JabpZBfc",
"firstName" : "Johnny",
"lastName" : "Baggs",
"email" : "j.baggss#co1.com",
"employeeNumber" : "ASV123456"
},
"-JiGh_31GA20JabpZBec" : {
"organization" : "-JiGh_31GA20JabpZBfc",
"firstName" : "Maheswari",
"lastName" : "Sanjal",
"email" : "mahe.sanjal#co1.com",
"employeeNumber" : "ASV111111"
},
"-JiGh_31GA20JabpZBce" : {
"organization" : "-JiGh_31GA20JabpZBfd",
"firstName" : "Fedde",
"lastName" : "le Grande",
"email" : "fedde.grande#co2.com",
"employeeNumber" : "ASV111111"
}
}
}
Database rules: https://gist.github.com/peteski22/b038d81641c1409cec734d187272eeba
{
"rules" : {
"admins" : {
".read" : "root.child('admins').hasChild(auth.uid)",
".write" : "root.child('admins').hasChild(auth.uid)"
},
"users" : {
"$user" : {
".read" : "data.child('organization').val() === root.child('users').child(auth.uid).child('organization').val()",
".write" : "root.child('admins').hasChild(auth.uid)"
}
},
"organizations" : {
"$organization" : {
".read" : "$organization === root.child('users').child(auth.uid).child('organization').val()",
".write" : "root.child('admins').hasChild(auth.uid)"
}
},
"employees" : {
"$employee" : {
".read" : "data.child('organization').val() === root.child('users').child(auth.uid).child('organization').val()",
".write" : "data.child('organization').val() === root.child('users').child(auth.uid).child('organization').val()"
}
}
}
}
However the problem here seemed to be that I couldn't do something like:
[GET] /employees
to see a collection of employees that belonged to the same organization as the logged in user.
After much faffing, I read this in the docs: https://firebase.google.com/docs/database/security/securing-data#rules_are_not_filters, which I think boils down to 'you're doing it wrong' if you want to get at the data the way I did.
Back to the drawing board, and after reading https://www.firebase.com/docs/web/guide/structuring-data.html / https://firebase.google.com/docs/database/web/structure-data
I made some changes to the db structure and rules:
Attempt #2 structure: https://gist.github.com/peteski22/4593733bf54815393a443dfcd0f34c04
{
"admins" : {
"8UnM6LIiZJYAHVdty6gzdD8oVI42" : true
},
"organizations": {
"-JiGh_31GA20JabpZBfc" : {
"name" : "Comp1 Ltd",
"users" : {
"-JiGh_31GA20JabpZBfe" : true,
"-JiGh_31GA20JabpZBff" : true,
"-JiGh_31GA20JabpZBea" : true
},
"employees" : {
"-JiGh_31GA20JabpZBeb" : true,
"-JiGh_31GA20JabpZBec" : true
}
},
"-JiGh_31GA20JabpZBfd" : {
"name" : "company2 PLC",
"users" :{
"WgnHjk5D8xbuYeA7VDM3ngKwCYV2" : true
},
"employees" :{
"-JiGh_31GA20JabpZBce" : true
}
}
},
"users" : {
"8UnM6LIiZJYAHVdty6gzdD8oVI42": {
"firstName" : "Peter",
"lastName" : "Piper",
"email" : "peter.piper#testtest.com",
"organization" : ""
},
"-JiGh_31GA20JabpZBfe" : {
"firstName" : "Joe",
"lastName" : "Blogs",
"email" : "joe.blogs#co1.com",
"organization" : "-JiGh_31GA20JabpZBfc"
},
"-JiGh_31GA20JabpZBff" : {
"firstName" : "Sally",
"lastName" : "McSwashle",
"email" : "sally.mcswashle#co1.com",
"organization" : "-JiGh_31GA20JabpZBfc"
},
"-JiGh_31GA20JabpZBea" : {
"firstName" : "Eva",
"lastName" : "Rushtock",
"email" : "eva.rushtock#payrollings.com",
"organization" : "-JiGh_31GA20JabpZBfc"
},
"WgnHjk5D8xbuYeA7VDM3ngKwCYV2" : {
"firstName" : "test",
"lastName" : "user",
"email" : "test.user#google.com",
"organization" : "-JiGh_31GA20JabpZBfd"
}
},
"employees" : {
"-JiGh_31GA20JabpZBeb" : {
"organization" : "-JiGh_31GA20JabpZBfc",
"firstName" : "Johnny",
"lastName" : "Baggs",
"email" : "j.baggss#financeco.com",
"employeeNumber" : "ASV123456"
},
"-JiGh_31GA20JabpZBec" : {
"organization" : "-JiGh_31GA20JabpZBfc",
"firstName" : "Maheswari",
"lastName" : "Sanjal",
"email" : "mahe.sanjal#financeco.com",
"employeeNumber" : "ASV111111"
},
"-JiGh_31GA20JabpZBce" : {
"organization" : "-JiGh_31GA20JabpZBfd",
"firstName" : "Fedde",
"lastName" : "le Grande",
"email" : "fedde.grande#payrollings.com",
"employeeNumber" : "ASV111111"
}
}
}
Attempt #2 rules: https://gist.github.com/peteski22/e1be434cd1ea8ec2e630bec6d8aa714f
{
"rules" : {
"admins" : {
".read" : "root.child('admins').hasChild(auth.uid)",
".write" : "root.child('admins').hasChild(auth.uid)"
},
"users" : {
".indexOn": [ "organization" ],
"$user" : {
".read" : "data.child('organization').val() === root.child('users').child(auth.uid).child('organization').val()",
".write" : "root.child('admins').hasChild(auth.uid)"
}
},
"organizations" : {
".indexOn": [ "users", "employees" ],
"$organization" : {
".read" : "$organization === root.child('users').child(auth.uid).child('organization').val()",
".write" : "root.child('admins').hasChild(auth.uid)"
}
},
"employees" : {
".indexOn": [ "organization" ],
"$employee" : {
".read" : "data.child('organization').val() === root.child('users').child(auth.uid).child('organization').val()",
".write" : "data.child('organization').val() === root.child('users').child(auth.uid).child('organization').val()"
}
}
}
}
Now I can keep the data locked down fine in each collection, but the only way to get anything is to know the organization ID, get that organization, then get each and every employee by their ID. Although the docs above for structuring data (section: Joining Flattened Data) seem to suggest that it's fine to do this, coming from an OO and SQL background it feels very weird.. which usually means.. 'I'm doing it wrong'.
If anyone has any advice on whether I'm going down the right track, or what to try instead it would be greatly appreciated.
Thanks
Peter
After reading the docs and chatting with people in the firebase-community slack, I've come to the conclusion that I was on the right track.
I found using a compiler called "Bolt" (firebase-bolt in npm) extremely useful for generating the rules too.
Here's my structure, bolt rules and compiled JSON rules:
Structure
{
"admins" : {
"8UnM6LIiZJYAHVdty6gzdD8oVI42" : true
},
"organizations": {
"-JiGh_31GA20JabpZBfc" : {
"name" : "Comp1 Ltd",
"users" : {
"-JiGh_31GA20JabpZBfe" : true,
"-JiGh_31GA20JabpZBff" : true,
"-JiGh_31GA20JabpZBea" : true
},
"employees" : {
"-JiGh_31GA20JabpZBeb" : true,
"-JiGh_31GA20JabpZBec" : true
}
},
"-JiGh_31GA20JabpZBfd" : {
"name" : "company2 PLC",
"users" :{
"WgnHjk5D8xbuYeA7VDM3ngKwCYV2" : true
},
"employees" :{
"-JiGh_31GA20JabpZBce" : true
}
}
},
"users" : {
"8UnM6LIiZJYAHVdty6gzdD8oVI42": {
"firstName" : "Peter",
"lastName" : "Piper",
"email" : "peter.piper#testtest.com",
"organization" : ""
},
"-JiGh_31GA20JabpZBfe" : {
"firstName" : "Joe",
"lastName" : "Blogs",
"email" : "joe.blogs#co1.com",
"organization" : "-JiGh_31GA20JabpZBfc"
},
"-JiGh_31GA20JabpZBff" : {
"firstName" : "Sally",
"lastName" : "McSwashle",
"email" : "sally.mcswashle#co1.com",
"organization" : "-JiGh_31GA20JabpZBfc"
},
"-JiGh_31GA20JabpZBea" : {
"firstName" : "Eva",
"lastName" : "Rushtock",
"email" : "eva.rushtock#payrollings.com",
"organization" : "-JiGh_31GA20JabpZBfc"
},
"WgnHjk5D8xbuYeA7VDM3ngKwCYV2" : {
"firstName" : "test",
"lastName" : "user",
"email" : "test.user#google.com",
"organization" : "-JiGh_31GA20JabpZBfd"
}
},
"employees" : {
"-JiGh_31GA20JabpZBeb" : {
"organization" : "-JiGh_31GA20JabpZBfc",
"firstName" : "Johnny",
"lastName" : "Baggs",
"email" : "j.baggss#financeco.com",
"employeeNumber" : "ASV123456"
},
"-JiGh_31GA20JabpZBec" : {
"organization" : "-JiGh_31GA20JabpZBfc",
"firstName" : "Maheswari",
"lastName" : "Sanjal",
"email" : "mahe.sanjal#financeco.com",
"employeeNumber" : "ASV111111"
},
"-JiGh_31GA20JabpZBce" : {
"organization" : "-JiGh_31GA20JabpZBfd",
"firstName" : "Fedde",
"lastName" : "le Grande",
"email" : "fedde.grande#payrollings.com",
"employeeNumber" : "ASV111111"
}
}
}
Bolt Rules
// **********
// FUNCTIONS
// **********
function isAdmin (auth) {
return root.admins[auth.uid] != null
}
function isInSameOrganization(auth, orgUid) {
return root.users[auth.uid].organization === orgUid
}
// **********
// PATHS
// **********
path /admins {
read() { isAdmin(auth) }
write() { isAdmin(auth) }
}
path /users {
index() { ["organization"] }
write() { isAdmin(auth) }
}
path /users/{id} is User {
read() { isInSameOrganization(auth, id) || isAdmin(auth) }
}
path /organizations {
write() { isAdmin(auth) }
}
path /organizations/{id} is Organization {
read() { isInSameOrganization(auth, id) }
}
path /employees {
index() { ["organization"] }
write() { isInSameOrganization(auth, this.organization) || isAdmin(auth) }
}
path /employees/{id} is Employee {
read() { isInSameOrganization(auth, id) || isAdmin(auth) }
}
// **********
// TYPES
// **********
type OrganizationID extends String {
validate() { root.organizations[this] != null }
}
type UserID extends String {
validate() { root.users[this] != null }
}
type EmployeeID extends String {
// Validate that the user ID exists in the employees node (read rule access should prevent us reading a employees that isn't in our org)
validate() { root.employees[this] != null }
}
type Email extends String {
validate() {
return this.matches(/^[A-Z0-9._%+-]+#[A-Z0-9.-]+\\.[A-Z]{2,4}$/i);
}
}
type User {
firstName: String,
lastName: String
email: Email,
organization: OrganizationID
}
type Employee {
organization: OrganizationID,
firstName: String,
lastName: String,
email: Email,
employeeNumber: String
}
type Organization {
name: String,
users: Map<UserID, Boolean> | Null,
employees: Map<EmployeeID, Boolean> | Null
}
JSON Rules (generated by Bolt)
{
"rules": {
"admins": {
".read": "root.child('admins').child(auth.uid).val() != null",
".write": "newData.parent().child('admins').child(auth.uid).val() != null"
},
"users": {
".write": "newData.parent().child('admins').child(auth.uid).val() != null",
".indexOn": [
"organization"
],
"$id": {
".validate": "newData.hasChildren(['firstName', 'lastName', 'email', 'organization'])",
"firstName": {
".validate": "newData.isString()"
},
"lastName": {
".validate": "newData.isString()"
},
"email": {
".validate": "newData.isString() && newData.val().matches(/^[A-Z0-9._%+-]+#[A-Z0-9.-]+\\\\.[A-Z]{2,4}$/i)"
},
"organization": {
".validate": "newData.isString() && newData.parent().parent().parent().child('organizations').child(newData.val()).val() != null"
},
"$other": {
".validate": "false"
},
".read": "root.child('users').child(auth.uid).child('organization').val() == $id || root.child('admins').child(auth.uid).val() != null"
}
},
"organizations": {
".write": "newData.parent().child('admins').child(auth.uid).val() != null",
"$id": {
".validate": "newData.hasChildren(['name'])",
"name": {
".validate": "newData.isString()"
},
"users": {
"$key1": {
".validate": "newData.parent().parent().parent().parent().child('users').child($key1).val() != null && newData.isBoolean()"
},
".validate": "newData.hasChildren()"
},
"employees": {
"$key2": {
".validate": "newData.parent().parent().parent().parent().child('employees').child($key2).val() != null && newData.isBoolean()"
},
".validate": "newData.hasChildren()"
},
"$other": {
".validate": "false"
},
".read": "root.child('users').child(auth.uid).child('organization').val() == $id"
}
},
"employees": {
".write": "newData.parent().child('users').child(auth.uid).child('organization').val() == newData.child('organization').val() || newData.parent().child('admins').child(auth.uid).val() != null",
".indexOn": [
"organization"
],
"$id": {
".validate": "newData.hasChildren(['organization', 'firstName', 'lastName', 'email', 'employeeNumber'])",
"organization": {
".validate": "newData.isString() && newData.parent().parent().parent().child('organizations').child(newData.val()).val() != null"
},
"firstName": {
".validate": "newData.isString()"
},
"lastName": {
".validate": "newData.isString()"
},
"email": {
".validate": "newData.isString() && newData.val().matches(/^[A-Z0-9._%+-]+#[A-Z0-9.-]+\\\\.[A-Z]{2,4}$/i)"
},
"employeeNumber": {
".validate": "newData.isString()"
},
"$other": {
".validate": "false"
},
".read": "root.child('users').child(auth.uid).child('organization').val() == $id || root.child('admins').child(auth.uid).val() != null"
}
}
}
}
I'm still finding bugs in this, but I think it's showing progress. Just to note that there are some good official & unofficial Firebase videos on Youtube, the docs are fairly decent for the most part, and the firebase-community seems to be friendly. So any new comers like me, you know where to start.
{
"rules": {
"users": {
"$uid":{
//Private whatever under "uid" but Public is exposed
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
"public": { ".read": "auth != null" }
}
}
}
}
I've created these rules to have users public/private profile
"users/{uid}/public" profile should be accessible by any users those are authenticated, but cannot access the data under "users/uid"
Here is some fake data that is stored in my firebase database.
{
"users" : {
"YFIIAgwa2kaannrXjwvSZmoywma2" : {
"Name:" : "Example 1",
//This public child should be accessible by
//"Example 2" but cannot know the name of
// this user
"public" : {
"email" : "example1#gmail.com"
}
},
"YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
"Name:" : "Example 2",
//This public child should be accessible by
//"Example 1" but cannot know the name of
// this user
"public" : {
"email" : "example2#gmail.com"
}
}
}
}
I want to know if this is the robust way to prevent any users from accessing user's critical information! Is there anyway I can improve this by using validate? I am open to any suggestions you guys have. I want to create the best and simple security rules for my app.
You can definitely secure access to the private and public data with your current data structure.
But one use-case you'll likely want at some point is to show a list of the public info for all users. With your current data structure that is not possible, because Firebase's security model cannot be used to filter data. For a great answer covering this, see Restricting child/field access with security rules.
Most developers split the public and private data in completely separate subtrees:
{
"users" : {
"YFIIAgwa2kaannrXjwvSZmoywma2" : {
"Name:" : "Example 1",
},
"YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
"Name:" : "Example 2",
}
},
"public_profiles": {
"YFIIAgwa2kaannrXjwvSZmoywma2" : {
"email" : "example1#gmail.com"
},
"YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
"email" : "example2#gmail.com"
}
}
}
You can then secure access with:
{
"rules": {
"users": {
"$uid":{
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
}
},
"public_profiles": {
".read": "auth != null",
"$uid":{
".write": "auth != null && auth.uid == $uid",
}
}
}
}
Now any authenticated user can listen to /public_profiles, which means you can easily show a list of these profiles.
Hmm wouldn't it be easier to (re)structure the db so that you have a public and a private field per user? Something like:
{
"users" : {
"YFIIAgwa2kaannrXjwvSZmoywma2" : {
"private": {
"Name:" : "Example 1"
},
"public" : {
"email" : "example1#gmail.com"
}
},
"YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
"private": {
"Name:" : "Example 2"
},
"public" : {
"email" : "example2#gmail.com"
}
}
}
}
/UPD: This way it should be easy(er) to have the different permissions because they won't inherit them from the parent?
I need to create a validation rule in firebase to don't have repeated data like a primary key in a relational DB. Here is the code I was trying:
"roles": {
".read": "auth.uid != null",
"$rol_id": {
".write": "auth.uid != null",
".validate": "newData.hasChildren(['description', 'state'])",
"description": {
".validate": "newData.isString() &&
newData.val().matches(/[A-Za-z]$/i) &&
root.child('roles').child('$rol_id').child('description').val() !=
root.child('roles').child('$rol_id').child('description').exists()"
},
"state": {
".validate":"newData.isBoolean()"
}
}
},
The problem is that I can't enter in $rol_id unless i give it a constant value but i need it to evaluate in each object.
This is the structure from roles in firebase:
"roles" : {
"-KMohJaG6djjeBiq3oiV" : {
"creationDate" : 1468689365795,
"description" : "administrador",
"id" : "-KMohJaG6djjeBiq3oiV",
"permissions" : {
"inputs" : true,
"kardex" : true,
"outputs" : true,
"persons" : true,
"product" : false,
"rol" : true,
"sales" : true,
"supplier" : true,
"user" : true
},
"state" : true
},
}
I am wondering if it's possible to do the firebase authentication on strings? I have seen it being done on keys like -XDhabsuduydvtest <- random test key.
Now i have this structure:
{
"conversations" : {
"person1" : {
"person2" : {
"0" : 0,
"last_read" : 1460377167535
}
},
"person2" : {
"person1" : {
"0" : 0,
"last_read" : 1460377125515
}
}
},
"messages" : {
"eb-uuid-729fc0ac-49b8-48fa-a2ff-f2ada67b9e4c-person1" : {
"body" : "Dit is een test vanuit iOS",
"date" : 1460383996536,
"sender" : "eb-uuid-729fc0ac-49b8-48fa-a2ff-f2ada67b9e4c"
},
"person1-person2" : {
"-KF49xHKqnDawywJ9H0b" : {
"body" : "test message",
"date" : 1460375639190,
"sender" : "person1"
},
"-KF4Fc1KHH31O4_l0QWh" : {
"body" : "new",
"date" : 1460377125013,
"sender" : "person2"
}
}
},
"users" : {
"eb-uuid-729fc0ac-49b8-48fa-a2ff-f2ada67b9e4c" : {
"chat_enabled" : true,
"email" : "test#gmail.com",
"first_name" : "John",
"last_name" : "Smith",
"provider" : "password",
"push_muted" : false,
"push_token" : "some-push-token",
"uid" : "729fc0ac-49b8-48fa-a2ff-f2ada67b9e4c",
"username" : "johnsmith"
},
"person1" : {
"first_name" : "person",
"last_name" : "one"
},
"person2" : {
"first_name" : "person",
"last_name" : "two"
}
}
}
plus some security rule i tried, obviously i'd like to check if the uuid's are the same, and not only if one exists
{
"rules": {
"messages": {
"$conv":{
//Person can only read a conversation he/she is participating in
".write": true,
".read": true,
".indexOn": ["date"]
}
},
"users":{
"$ebuuid":{
".write": "root.child('users').child($ebuuid).hasChild('uid')",
".read": "root.child('users').child($ebuuid).hasChild('uid')"
}
},
"conversations":{
".write": "data.child('uid').val() === auth.uid",
".read": true
}
}
}
(Replaced images with text)
I'm really not sure how to go from here now .. the user has some uid but i'm not sure how to check it with whether he or she can post messages etc ..
I'm trying to create a twitter clone to learn to use Firebase and I would love to get a suggestion about how to create the database structure. My biggest concern is related to followers and how to create a timeline when you are following for example 500 users. You would need to perform 500 queries and sort somehow for datetime.
{
"followers" : {
"cesar" : {
"followers" : {
"cesar2" : true
},
"following" : {
"cesar2" : true
}
},
"cesar2" : {
"followers" : {
"cesar" : true
},
"following" : {
"cesar" : true
}
}
},
"tweet" : {
"cesar" : [ null, {
"content" : "tweet 1"
} ]
},
"users" : {
"cesar" : {
"name" : "César",
"notifications" : true,
"username" : "cesar"
},
"cesar2" : {
"name" : "César2",
"notifications" : false,
"username" : "cesar2"
}
}
}
See Firefeed, Firebase's open-source Twitter clone. It includes a walkthrough of the data structure it uses, which boils down to using a fan-out approach when new messages are posted. Here's a copy of the rules used, which describes the underlying data structure:
{
"rules": {
// All data is readable by anyone.
".read": true,
"people": {
// A list of users with their names on the site.
"$userid": {
// Only the user can write their own entry into this list.
".write": "$userid ==auth.uid"
}
},
"users": {
"$userid": {
// The user is allowed to write everything in their bucket.
".write": "$userid ==auth.uid",
"following": {
// The following list should only contain actual ids from the "people" list.
"$followingid": {
".validate": "root.child('people').hasChild($followingid)"
}
},
"followers": {
// Anyone can add themself to to this user's followers list.
"$followerid": {
".write": "$followerid ==auth.uid"
}
},
"feed": {
"$sparkid": {
// User A can write in user B's feed, but only if A is following B, and only for sparks for which they are the author.
".write": "root.child('users/' + $userid + '/following').hasChild(auth.uid) && root.child('sparks/' + $sparkid + '/author').val() ==auth.uid"
}
}
}
},
"sparks": {
// A global list of sparks (the "firehose").
"$sparkid": {
// Modifying an existing spark is not allowed.
".write": "!data.exists()",
// Every spark should have an author and a body.
".validate": "newData.hasChildren(['author', 'content'])",
// A user can attribute a spark only to themselves.
"author": {
".validate": "newData.val() ==auth.uid"
},
"content": {
".validate": "newData.isString()"
}
}
},
"recent-users": {
// Users can add themselves to the list of users with recent activity.
"$userid": {
".write": "$userid ==auth.uid"
}
},
"recent-sparks": {
// Authors of sparks can add their sparks to this list.
"$sparkid": {
".write": "root.child('sparks/' + $sparkid + '/author').val() ==auth.uid"
}
},
"search": {
"firstName": {
"$searchKey": {
".write": "auth != null && (root.child('people/' +auth.uid + '/firstName').val() + '|' + root.child('people/' +auth.uid + '/lastName').val() + '|' +auth.uid) == $searchKey && newData.val() ==auth.uid"
}
},
"lastName": {
"$searchKey": {
".write": "auth != null && (root.child('people/' +auth.uid + '/lastName').val() + '|' + root.child('people/' +auth.uid + '/firstName').val() + '|' +auth.uid) == $searchKey && newData.val() ==auth.uid"
}
}
}
}
}