Do not allow Firebase node listing

Question

TL;DR;

users can't read/write at root/chat-rooms/

users can read/write at root/chat-rooms/guid-id

Full version:

I have the following Firebase structure:

root > chat-rooms > room-id-guid (1000+) > messages under each room-id-guid

I don't want my users to authenticate with user/pass; as long as you can get into the room through the UI (links are generated on the server, and only a couple of rooms are available to any given user), you can read/write.

What I don't want is for users to be able to list all of the room-id-guids (e.g. through the developer console) and read/write to the room bypassing the UI.

Is this possible?

Answer 1

To accomplish this, simply disable reading at the root or list-level of your Firebase, but permit reading at the specific room level:

{
  ".read": "false",
  ".write": "false",
  "chat-rooms": {
    "$guid": {
      ".read": "true"
    }
  }
}