I am using REST API in my vuejs app to access firebase realtime database, I authenticate users using Google provider and get access token.
Whe I try fetching data using access_token https://rtdb-url/uid/products.json?access_token=[access token] user get 401 error.
But if the user was added to "Users and permissions" in project settings it works.
Rule appplied to RTDB
{
"rules": {
"$uid": {
"products": {
".write": "auth != null && $uid === auth.uid",
".read": "auth != null && $uid === auth.uid"
}
}
Apparently, I just needed to use the access token I got and send it to the following endpoint in the POST body:
https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=
As described in the documentation.
Related
I am trying to use fetch to access /userInfo collection and I have the following rules in firebase:
"rules": {
"userInfo": {
"$uid": {
".read": "auth.uid === $uid",
".write": "auth.uid === $uid"
}
}
I was trying to extend the default user profile and saw that I need to create collection and add the additional data there so my collection is "userInfo".
Now I am trying to restrict user of fetching other users information so he cannot do something like:
fetch(db.firebaseio.com/userInfo.json)
and get all the information about all users.
So the problem is when the rule is "auth !== null" I can simply add "?auth=" + token at the end of the url to auth, but it doesn't work the same way for auth.uid.
I wonder what should be the query parameter when sending the request so I can tell to firebase what my user.uid is?
Attaching postman screenshot for better understanding of the problem:
Postman request
Attaching also DB struct from Firebase:
DB Structure
Request with token:
Postman request with token also gives permission denied for this rules
I am new to firebase and I am trying the firebase database rule and firebase auth.
I trying to use the firebase auth for firebase database rule.
So I have create a demo email to test this the database rule.
email : abc#gmail.com
uid : WfipZwUuNvTIkRYvPxsFqzd1rag2
My database rule (followed the firebase site) https://firebase.google.com/docs/database/security/user-security
Firebase Database Rule :
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id == auth.uid",
".read" : "$user_id == auth.uid"
}
}
}
}
I have tried to use the simulator for the database rule with the below custom payload with authenticated and couldn't access the read or write.
Payload :
{
"provider": "password",
"uid": "WfipZwUuNvTIkRYvPxsFqzd1rag2"
}
So what am I missing in this point?
Updates
What I need is use the firebase authenticate email to give a read and write access to the database.
I am currently trying on the firebase database rule simulator.
I keep getting access denied. So maybe is my payload is not right for the authentication. Need HELP!!!
i tried the rules that you specified in ths simulator and i got simulated write allowed the only difference is i didn't use the uid that you specified.
See Below Images for result
As per documentation you should implement:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid",
".read" : "$user_id === auth.uid"
}
}
}
}
Notice you should implement '===' instead of '=='
The above implementation will allow only user WfipZwUuNvTIkRYvPxsFqzd1rag2 to read and write on that specific location "/users/{user_id}"
Updates
I tested and it works this time. Last time i tried the rule did not work that is very weird.
Ok, I assume the simulator's authenticated means if any of my firebase auth user is logged in.
So, my path and my rules have problems during the test and is not my payload
If I want to allow the database access by the firebase auth user then my rule should be like this (I presume).
Rule: for fire base auth to access the whole database with read and write permission.
{
"rules": {
".write": "auth.uid != null",
".read" : "auth.uid != null"
}
}
Thanks #d.mares and #MuruGan
I'm getting permission denied after I have authenticated with Anonymous Auth
[ERROR:topaz/lib/tonic/logging/dart_error.cc(16)] Unhandled exception:
E/flutter (21033): PlatformException(-3, Permission denied, )
...
_getCurrentUser: FirebaseUser({providerId: firebase, uid: DOIL...............u54j1, displayName: , email: , isAnonymous: true, isEmailVerified: false, providerData: [{providerId: firebase, uid: DOIL//////////////54j1, displayName: , email: }]})
My rules on the Firebase DB are
{
"rules": {
//Test rule
// "users": {
// "$uid": {
// ".read": "auth != null && auth.uid == $uid",
// ".write": "auth != null && auth.uid == $uid",
// }
// }
// General rule - closed to everyone but app uses
".read": "auth != null",
".write": "auth != null"
}
}
The code I use to save data - works fine with DB rules set to open to all.
_saveUserData(UserEntry userData) async {
print("_saveUserData jsonData =" userData.toJson().toString());
// SAVE MY DATA TO DB
// tUsers = db reference to the child node users on Firebase
_tUsers.push().set(talentUserData.toJson());
}
What am I doing wrong ? Any assistance is appreciated. Thanks.
In the hope of saving someone a headache. I found the problem to be not getting a fresh instance of the Firebase Database. I created the instance in my main.dart and passed it to my HomePage in the constructor (per the example file in the library).
When I got a fresh instance ...out of desperation debugging...it worked. I can now have anonymous login so that only people who have installed the app can write to the database.
I'm still starting out with firebase and i'm using angularfire to connect.
I was able to do the authentication successfully using google as a provider and I logged in using my account and got back my user details including uid & image, however, when I attempt to retrieve any data I get: permission_denied at /series: Client doesn't have permission to access the desired data. I also tried the simulator and got the same issue.
Here's my database:
My rules:
The data I entered in the simulator. I got the uid after signing in using google in the app:
And the result after using the simulator:
Here's where I got my UID from: (The authentication tab)
What am I supposed to be doing but not doing?
Finally found the answer. As cartant wrote
there are no read permissions granted, as .read defaults to false
all I needed to do was to ".read": "auth != null"
So the new rules are:
{
"rules": {
"series": {
".read": "auth != null", << THAT WAS MISSING
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
Before in my app I was creating accounts successfully until I put some rules
{
"rules": {
"users": {
"$uid": {
// grants write access to the owner of this user
// account whose uid must exactly match the key ($uid)
".write": "auth !== null && auth.uid === $uid",
// grants read access to any user who is logged in
// with an email and password
".read": "auth !== null && auth.provider === 'password'"
}
}
}
}
then, the accounts are created because I see those accounts in the dashboard. But once I try to create, I am getting this kind of errors
FIREBASE WARNING: set at /users/simplelogin:32 failed: permission_denied
Since you want the user to be able to create their own node initially, you'll need to explicitly allow the case where the location is new.
Based on the documentation on the auth parameter:
".write": "!data.exists() || auth.uid === $uid""
Note: I'm not entirely sure this will work, but felt it'd be more readable as in answer-format than as a "try this" comment.