Unique IP write permissions Firebase collection

Question

Let's say I have a collection of articles:

https://example.firebaseio.com/articles/$key

And I want to add a viewCounter and currentUsersCounter children to articles.

https://example.firebaseio.com/articles/$key/viewCounter
https://example.firebaseio.com/articles/$key/currentUsersCounter

I execute a function anytime a user has scrolled into the next article:

var currentArticle = function(key){
  //key == index of the article
  //This is where I want to increment the `viewCounter` and `currentUsersCounter`
}

Obviously I don't want anyone writing to anything more then those two children.

• How do I expand on my security rules which currently (black-lists all writes) to white-listing writes only for these specific collections?

• How would I limit writes to unique IP addresses in my security rules for these white-listed collections? (if possible)

Currently black-listing all writes:

{
  "rules": {
    ".read": true,
    ".write": "auth.email == 'example@gmail.com'"
  }
}

Answer 1

You can't do this in a way that will protect the integrity of the data (i.e. ensuring that the counts are actually accurate), since if you grant write access to those fields a client can write whatever value it wants to it.

You can, however, provide granular read/write access for only those specific children by using variables in your security rules:

{
  "articles": {
    "$key": {
      "viewCounter": {
        ".write": true,
        ".validate": "newData.isNumber() && newData.val() == data.val() + 1"
      },
      "$other": {
        ".write": "auth.email == 'example@gmail.com'"
      }
    }
  }
}

It is not possible to do any filtering based on IP addresses. You'll want to use a secret from trusted server code to do that as suggested in the comment.