My goal is allow users to write document which calculate age from birthday only between 16 to 100, I am consider using request.time - duration but duration is not support years so I can't just simply use request.time - duration.value(16, 'y') to achive this. Then I am consider just hardcode 16 years to millsec but just can't figure out how to deal with leap year. Anyone got better idea to this?
I don't think you'll be able to implement such a complex check with Security Rules language.
What you could do is to use a Cloud Function that would calculate and check the age each time a new document is created and, if the age is under 16, does something like the following options (up to you to decide):
We use JavaScript or TypeScript in Cloud Functions for Firebase so you'll be able to accurately calculate the age. You could even use a library like moment or dayjs.