Search for users by email address in Firebase, without exposing everyone's email address to the world in a bulk-readable format.

rules.js

{
  "rules": {
    "users": {
      "$user_id": {
        // email address is required
        ".validate": "newData.hasChildren(['email'])",
      }
    },
    
    "emails_to_users": {
      // I can't list or search the emails_to_users/ path
      "$email_escaped": {
        // I can check any email address I already know to find the user id
        ".read": true,
        // I can only change my own email entry and it must match my user entry
        ".write": "!data.exists() && data.val() === auth.uid && root.child('users/' + data.val() + '/email').val().replace('.', '%2E') === $email_escaped"
      }
    }
  }
}

search_by_email.js

function uidForEmail(email) {
  return new Promise(function(resolve, reject) {
    ref.child('emails_to_users/' + escapeEmail(email)).once('value', function(snap) {
      resolve(snap.val());
    }, reject);
  });
}

function escapeEmail(email) {
  return email.replace('.', '%20');
}

// try it out!
uidForEmail('katowulf@acme.not.real').then(function(uid) {
  console.log('uid for katowulf', uid || '<does not exist>');
}, console.error);