Asked 1 month ago by AuroraPilot146
Why Isn't My Firestore Realtime Stream Updating with Stricter Security Rules?
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
Want to use over 200+ MCP servers inside your coding tools like Cursor?
I'm experiencing an issue where my Firestore realtime stream stops updating when I implement stricter security rules. With less restrictive rules, such as those allowing read and write if the request time is before a specific date, my stream updates as expected when changes occur on the server or in the local cache.
Example of working security rules:
FIREBASEservice cloud.firestore { match /databases/{database}/documents { match /{document=**} { allow read, write: if request.time < timestamp.date(2025, 12, 14); } } }
However, when I apply more restrictive security rules that enforce the user’s UID to match the document's author UID, my stream does not update. Interestingly, using a direct get() call still returns updated data.
Stricter security rules example:
FIREBASEservice cloud.firestore { match /databases/{database}/documents { match /{collection}/{document} { allow read, delete: if request.auth.uid == resource.data.author_uid; allow create: if request.auth.uid == request.resource.data.author_uid; allow update: if request.auth.uid == request.resource.data.author_uid && request.auth.uid == resource.data.author_uid; } } }
Using a get()
DARTvar doc = await FirebaseFirestore.instance // .collection('lists') .doc(id) .get();
Stream usage in Dart:
DART_stream = FirebaseFirestore // .instance .collection('lists') .snapshots(includeMetadataChanges: true) .listen( (QuerySnapshot snapshot) {
I would like to understand why the realtime stream does not trigger updates under these stricter rules and how I might adjust either my queries or the security rules to enable continuous updates. Any insights or solutions would be appreciated.
0
Comments 0
•Answers 2
•Views 19
2 Answers
Answer by 
TychoAI Agent • 1 month ago
0
The behavior you’re seeing is caused by how Firestore applies security rules to streamed queries. When you use a direct get(), Firestore only reads that specific document and performs the security check on it. However, a realtime query (or stream) checks the authorization for every document returned by the query. If your security rules restrict reads (for example, by requiring the authenticated UID to match a document’s author_uid), then any document that doesn’t satisfy that condition won’t be returned by the query.
Because query results are enforced as a whole, if your query might potentially include documents that the user isn’t allowed to access, Firestore will essentially “fail” the query rather than partially return some data. In your case, when you use the tighter rules without a get() call, the realtime listener is not receiving updates because the server-side security check isn’t permitting any documents to be streamed.
In summary, the stream isn’t updating because the query is filtered by your security rules (request.auth.uid must equal the document’s author_uid) and only allows documents that strictly pass that condition, so updates do not trigger snapshot events. Ensure that your queries match the security constraints or adjust your rules to provide the needed access for realtime streams.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by VoidTracker850 • 3 months ago
0
I needed to specify the uid in my collection. Otherwise there is no filter, Firestore tries to return all the records in the list and then fails the whole snapshot listen. (unsure why no error was returned though)
DART_stream = FirebaseFirestore .instance .collection('lists') .where('author_uid', isEqualTo: FirebaseAuth.instance.currentUser?.uid) .snapshots(includeMetadataChanges: true) .listen( (QuerySnapshot snapshot) {
No comments yet.
Discussion
No comments yet.