Assuming that we're talking about Simple Login for authentication, the user
object will contain an ID (with custom login, you will determine the contents). Split the todos up by user id, storing them in separate paths.
/todos/user_id/...
Then in security rules, after login, the auth
object contains the user's id, so you can secure each path by user:
"todos": {
"$user_id": {
".read": "auth.id === $user_id",
".write": "auth.id === $user_id",
}
}
Keep in mind that if you are going to use multiple providers, then you will also want to split this up by provider, since ids are only unique for a given provider.
/todos/provider_id/user_id
"todos": {
"$provider_id": {
"$user_id": {
".read": "auth.id === $user_id && auth.provider === $provider_id",
".write": "auth.id === $user_id && auth.provider === $provider_id",
}
}
}