So I have my react-native project setup for firebase. I was mostly using analytics and crashlytics, and the firebase configuration files for both the ios and android deployments are correctly configured (the plist and json files), as I am able to use those services.
Now I want to also use the firestore. I was under the impression that the same configuration files with the firebase access info would be enough. But it doesn't seem to be the case. And I don't understand why.
My firebase access rule is simple enough:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /receipts/{receipt} {
allow read, write: if request.auth != null;
}
}
}
The error I'm getting is:
[Error: [firestore/permission-denied] The caller does not have permission to execute the specified operation.]
which goes away if I remove the if condition in the rule.
So I don't think the problem is there. I was wondering if for some reason firestore requires the web type configuration in my app, in the firebase.js file. But at this point I am doing trial and error development here...
Any insight would be much appreciated.
Related
My goal is to block any write requests that don't come directly from my API in google cloud run.
I think my firebase Web API key from the general project settings could help but I can't find the right storage rule that can do this.
I found the storage rule for authenicated users etc but I don't use firebase authentication. Instead I authenticate users in the API that is hosted in google cloud run.
I think it is in this direction but please correct me if I am wrong.
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read: if true;
allow write: if request comes from my API with the Web API key;
}
}
}
sources:
https://firebase.google.com/docs/storage/security/rules-conditions
https://firebase.google.com/docs/storage/gcp-integration
There is no way to check what API key is used in the call to Cloud Storage.
But access from Cloud Run usually happens through one of the GCP SDKs/APIs and those access the project with administrative privileges and bypass your security rules altogether.
So you might as well deny all write access from untrusted clients with:
allow write: if false;
So in firebase I created a database named crud.
Now database rules looks like this,
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
Now I try to access the API with https://crud-12b8c.firebaseio.com/crud/users.json then I get 404 not found error. What am I doing wrong here? I am new to Firebase btw.
You are mixing up Cloud Firestore and the Firebase Realtime Database. firebaseio.com URLs are for Realtime Databases, but the console screenshot you're showing and the security rules you're displaying are for Firestore.
I'd recommend reading the guides about how to access data using the Firestore SDKs.
Accessing the firebase API is done through the Rest API service of which, you can find the full documentation here: https://firebase.google.com/docs/projects/api/reference/rest
This includes means of accessing Firestore data points directly through web requests:
https://firebase.google.com/docs/firestore/reference/rest/v1/projects.databases.documents/get
For example:
https://firestore.googleapis.com/v1beta1/projects/crud-12b8c/databases/(default)/documents/crud
It does get complicated but this is a great start to using Firebase per your needs.
I am working on a project to upload images from the gallery to firebase storage. I am facing the error that the User is not authorized to perform the desired action, but I am able to perform all other actions, e.g making a collection for users on firestore, etc, but I can't upload images to firebase storage.
Images are attached below.
My code for uploading images to firebase storage/firestore: Code Image
The rule I am using: Firebase Storage Rule
The rules you've attached in the screenshot are of Cloud Firestore. Firebase storage has its own security rules.
Please make sure you've created a bucket in Firebase Storage from the console and set the rules that allow the relevant users to upload
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
These rules will allow authenticated users upload and download files. Please let me know if the issue persists.
I have the following rules in my bucket:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read;
}
}
}
This says to me that public can read - but they can't. Checking on the google cloud storage UI, there is no 'public url'.
So a couple of questions:
Does firebase give a different URL for accessing the file which will issue permissions based on the above rule configuration?
There is a firebase-adminsdk service account in GCS bucket permissions - is that what firebase uses to access the bucket?
Which credentials overwrite each other?
Cloud Storage access permissions and Firebase's Storage rules are unrelated.
Firebase's Storage rules apply to users who access the data in the bucket through a Firebase SDK. In addition Firebase can generate a so-called download URL, which gives everyone who has that URL read-only access to that file.
Cloud Storage access permissions apply to users accessing the data in the bucket through a Cloud API. The Cloud Storage SDKs and APIs can also generate so-called signed URLs, which serve a similar role to the download URLs mentioned above.
Firebase security rules only affect direct access from web and mobile client apps when using the Firebase SDK, especially when the user is authenticated with Firebase Auth (as the user's account token is made available during the evaluation of rules).
Rule do not affect the way service accounts work, or other forms of public access that depend on Cloud Storage ACLs. Those are determined by their own permission systems. Those other systems don't also don't affect Firebase client access at all.
I'm getting the following message in Firebase:
The Cloud Firestore "(default)" database of your project contains
rules that are not secure.
But I have the rules as the documentation says and I don't see any other option. What I want is that anyone can read, but just logged in users can edit content.
These are my rules:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow read, write: if request.auth.uid != null;
}
}
}
With these rules any authentication user can write all documents in your database, including overwriting documents that were created by other. You're also allowing everyone (no matter if they're authenticated) to read all data in the database, which seem much broader than most apps need. While these are close to some of the default rules you can start with, it is typically not enough for a production app, which is why you receive the warning.
You'll typically want to further lock down access to the database. For example, you might want to ensure that users can only write documents that contain their own UID in a specific field. That way you'll always know who created a document, and can use that to control access to that document.
If you are certain this is the minimum data access that your app requires to function, you can disable the warning emails in the Firebase console. But as said before, in my experience this type of access seems much broader than what I typically see in well functioning, and well protected, apps.