firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    
    // Helper functions
    function isAuthenticated() {
      return request.auth != null;
    }
    
    function isOwner(userId) {
      return isAuthenticated() && request.auth.uid == userId;
    }
    
    function hasRequiredFields(fields) {
      return request.resource.data.keys().hasAll(fields);
    }
    
    function isValidString(field, minLen, maxLen) {
      return request.resource.data[field] is string
             && request.resource.data[field].size() >= minLen
             && request.resource.data[field].size() <= maxLen;
    }
    
    function isValidNumber(field, min) {
      return request.resource.data[field] is number
             && request.resource.data[field] >= min;
    }
    
    // Public user profiles for friend lookups
    // Only contains email, displayName, and uid - safe to query
    match /public_users/{userId} {
      // Anyone authenticated can read to search for friends
      allow read: if isAuthenticated();
      
      // Only the user can create/update their own public profile
      allow create, update: if isOwner(userId)
                            && hasRequiredFields(['email', 'displayName'])
                            && isValidString('email', 3, 100)
                            && isValidString('displayName', 1, 200)
                            && request.resource.data.keys().hasOnly(['email', 'emailLowercase', 'displayName', 'photoUrl', 'createdAt', 'updatedAt']);
      
      allow delete: if isOwner(userId);
    }
    
    // User profile document
    match /users/{userId} {
      allow read: if isOwner(userId);
      
      allow create: if isOwner(userId)
                    && hasRequiredFields(['fullName', 'contact'])
                    && isValidString('fullName', 1, 200)
                    && isValidString('contact', 7, 20)
                    && (!('contactLowercase' in request.resource.data) || request.resource.data.contactLowercase == request.resource.data.contact.lower())
                    && request.resource.data.keys().hasOnly(['fullName', 'contact', 'contactLowercase', 'profilePhotoPath', 'createdAt', 'updatedAt']);
      
      allow update: if isOwner(userId)
                    && hasRequiredFields(['fullName', 'contact'])
                    && isValidString('fullName', 1, 200)
                    && isValidString('contact', 7, 20)
                    && (!('contactLowercase' in request.resource.data) || request.resource.data.contactLowercase == request.resource.data.contact.lower())
                    && (!('createdAt' in request.resource.data) || request.resource.data.createdAt == resource.data.createdAt);
      
      // Categories subcollection
      match /categories/{categoryId} {
        allow read: if isOwner(userId);
        
        allow create: if isOwner(userId)
                      && hasRequiredFields(['name'])
                      && isValidString('name', 1, 100)
                      && request.resource.data.keys().hasOnly(['name', 'createdAt', 'updatedAt']);
        
        allow update: if isOwner(userId)
                      && hasRequiredFields(['name'])
                      && isValidString('name', 1, 100)
                      && (!('createdAt' in request.resource.data) || request.resource.data.createdAt == resource.data.createdAt);
        
        allow delete: if isOwner(userId);
      }
      
      // Goals subcollection
      match /goals/{goalId} {
        allow read: if isOwner(userId);
        
        allow create: if isOwner(userId)
                      && hasRequiredFields(['month', 'minGoal', 'maxGoal'])
                      && isValidString('month', 7, 7)
                      && request.resource.data.month.matches('^\\d{4}-\\d{2}$')
                      && goalId == request.resource.data.month
                      && isValidNumber('minGoal', 0)
                      && isValidNumber('maxGoal', 0)
                      && request.resource.data.maxGoal >= request.resource.data.minGoal
                      && request.resource.data.keys().hasOnly(['month', 'minGoal', 'maxGoal', 'createdAt', 'updatedAt']);
        
        allow update: if isOwner(userId)
                      && hasRequiredFields(['month', 'minGoal', 'maxGoal'])
                      && goalId == request.resource.data.month
                      && isValidNumber('minGoal', 0)
                      && isValidNumber('maxGoal', 0)
                      && request.resource.data.maxGoal >= request.resource.data.minGoal
                      && (!('createdAt' in request.resource.data) || request.resource.data.createdAt == resource.data.createdAt);
        
        allow delete: if isOwner(userId);
      }
      
      // Expenses subcollection
      match /expenses/{expenseId} {
        allow read: if isOwner(userId);
        
        allow create: if isOwner(userId)
                      && hasRequiredFields(['categoryId', 'date', 'amount'])
                      && isValidString('categoryId', 1, 100)
                      && isValidString('date', 10, 10)
                      && request.resource.data.date.matches('^\\d{4}-\\d{2}-\\d{2}$')
                      && isValidNumber('amount', 0.01)
                      && request.resource.data.keys().hasOnly(['categoryId', 'date', 'amount', 'description', 'startTime', 'endTime', 'photoPath', 'createdAt', 'updatedAt']);
        
        allow update: if isOwner(userId)
                      && hasRequiredFields(['categoryId', 'date', 'amount'])
                      && isValidString('categoryId', 1, 100)
                      && isValidString('date', 10, 10)
                      && isValidNumber('amount', 0.01)
                      && (!('createdAt' in request.resource.data) || request.resource.data.createdAt == resource.data.createdAt);
        
        allow delete: if isOwner(userId);
      }

      // Friend requests subcollection
      match /friend_requests/{requestId} {
        allow read: if isOwner(userId);

        allow create: if isAuthenticated()
                      && request.auth.uid == requestId
                      && request.resource.data.fromUid == request.auth.uid
                      && request.resource.data.toUid == userId
                      && request.resource.data.status == 'PENDING';

        allow update: if isOwner(userId);
        allow delete: if isOwner(userId);
      }

      // Friends subcollection
      match /friends/{friendUid} {
        function hasAcceptedRequest() {
          return exists(/databases/$(database)/documents/users/$(friendUid)/friend_requests/$(userId))
                 && get(/databases/$(database)/documents/users/$(friendUid)/friend_requests/$(userId)).data.status == 'ACCEPTED';
        }

        allow read: if isOwner(userId);

        allow create: if isOwner(userId)
                      || (isAuthenticated()
                          && request.auth.uid == friendUid
                          && hasAcceptedRequest());

        allow update, delete: if isOwner(userId);
      }
    }

    // Collaborative Goals collection (Social feature)
    match /collaborative_goals/{goalId} {
      function isGoalParticipant() {
        return isAuthenticated() && request.auth.uid in resource.data.participants;
      }

      function isGoalCreator() {
        return isAuthenticated() && request.auth.uid == resource.data.createdBy;
      }

      // Anyone authenticated can read goals they're part of
      allow read: if isGoalParticipant();

      // Only authenticated users can create goals
      allow create: if isAuthenticated()
                    && request.auth.uid == request.resource.data.createdBy
                    && request.resource.data.participants.hasOnly([request.auth.uid])
                    && request.resource.data.status == 'ACTIVE'
                    && hasRequiredFields(['name', 'createdBy', 'totalBudget', 'currentSaved', 'participants', 'categories', 'status'])
                    && isValidString('name', 1, 100)
                    && isValidNumber('totalBudget', 0.01)
                    && request.resource.data.currentSaved == 0
                    && request.resource.data.categories is list;

      // Only participants can update goals
      allow update: if isGoalParticipant();

      // Only creator can delete
      allow delete: if isGoalCreator();

      // Contributions subcollection
      match /contributions/{contributionId} {
        function isGoalMember() {
          return isAuthenticated() 
                 && request.auth.uid in get(/databases/$(database)/documents/collaborative_goals/$(goalId)).data.participants;
        }

        // All goal members can read contributions
        allow read: if isGoalMember();

        // Only the contributor can create their own contributions
        allow create: if isAuthenticated() 
                      && request.auth.uid == request.resource.data.uid
                      && isGoalMember()
                      && hasRequiredFields(['goalId', 'categoryId', 'uid', 'amount', 'date'])
                      && request.resource.data.goalId == goalId
                      && isValidNumber('amount', 0.01)
                      && isValidString('date', 10, 10);

        allow update, delete: if false; // Contributions are immutable
      }
    }

    // Challenges collection (Race feature)
    match /challenges/{challengeId} {
      function isParticipant() {
        return isAuthenticated() && request.auth.uid in resource.data.participants;
      }

      function isCreator() {
        return isAuthenticated() && request.auth.uid == resource.data.createdBy;
      }

      // Anyone authenticated can read challenges they're part of
      allow read: if isParticipant();

      // Only authenticated users can create challenges
      allow create: if isAuthenticated()
                    && request.auth.uid == request.resource.data.createdBy
                    && request.resource.data.participants.hasOnly([request.auth.uid])
                    && request.resource.data.status == 'PENDING'
                    && hasRequiredFields(['name', 'createdBy', 'createdByEmail', 'budget', 'startDate', 'endDate', 'status', 'participants', 'inviteCode'])
                    && isValidString('name', 1, 100)
                    && isValidNumber('budget', 0.01)
                    && isValidString('startDate', 10, 10)
                    && isValidString('endDate', 10, 10)
                    && isValidString('inviteCode', 6, 6);

      // Creator can update status; participants can update to join
      allow update: if isAuthenticated()
                    && (isCreator() || request.auth.uid in request.resource.data.participants);

      // Only creator can delete
      allow delete: if isCreator();

      // Participants subcollection
      match /participants/{participantUid} {
        function isChallengeParticipant() {
          return isAuthenticated() 
                 && request.auth.uid in get(/databases/$(database)/documents/challenges/$(challengeId)).data.participants;
        }

        // All challenge members can read participant data
        allow read: if isChallengeParticipant();

        // Only the participant can write their own data
        allow write: if isAuthenticated() && request.auth.uid == participantUid;
      }
    }
  }
}