firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {    
    match /leaderboard/{userId} {

      function prohibited(initials) {
        let prohibitedInitials = get(/databases/$(database)/documents/prohibitedInitials/list).data.prohibitedInitials;
        return initials in prohibitedInitials;
      }
      
      function inCharLimit(initials) {
        return initials.matches('[A-Z]{3}');
      }

      function isValidScore(score) {
        return score > 0 && score < 9999999999;
      }
      
      function isAuthedUser(auth) {
      	return request.auth.uid != null && auth.token.firebase.sign_in_provider == 'anonymous'
      }

      function isValidCharacter(character) {
         return character == 'android' || character == 'dash' || character == 'dino' || character == 'sparky';
       }
   
      // Leaderboard can be read if it doesn't contain any prohibited initials
      allow read: if isAuthedUser(request.auth);
      
      // A leaderboard entry can be created if the user is authenticated,
      // it's 3 characters long and capital letters only, not a 
      // prohibited combination, the score is within the accepted score window
      // and the character is in the valid list
      allow create: if isAuthedUser(request.auth) &&
                       inCharLimit(request.resource.data.playerInitials) && 
                       !prohibited(request.resource.data.playerInitials) &&
                       isValidScore(request.resource.data.score) &&
                       isValidCharacter(request.resource.data.character);
    }
  }
}