Access denied on Firebase Realtime Database security rules simulator - firebase

It is hard for me to understand why the simulator puts me off for this input
I supplied this auth token body:
{
"account": "7xms2zm6noz03f2mvn",
"playerId": "d3221a31-263c-4629-92fb-6cac89b67088"
}
I am using custom authentication to supply the above blob.
Please see the attached screenshot for how the simulator treats this:
This is my database tree:
What am I missing?

It appears that when you use the simulator, the "auth token payload" is actually at the auth level, not at the auth.token level.
So, you need to simulate the auth.token.account claim like this:
{
"token": {
"account": "7xms2zm6noz03f2mvn",
"playerId": "d3221a31-263c-4629-92fb-6cac89b67088"
}
}
You can tell it is (apparently) misnamed because if, for example, you select the "Google" provider, then provider and uid are both at the top level of this blob (which can't be modified), and that is where you would expect to find them.
Likewise this image from this blog post shows the token block as a sub-block in the simulator.

Related

connecting firebase Realtime database with chrome extension

I'm beginner and I'm developing a chrome extension that shows data received from my firebase realtime database. It does not need Login, or any personal information.
I'm trying to use REST API. Until now I have been in a test mode so I opened access to data for all. But Google keeps mailing me that I have to change the access rule because it is dangerous.
My present access rule is this:
{
"rules": {
".read": true,
".write": false
}
}
Now, I fetch data from https://<project name>.firebaseio.com/<database name>.json. But if I change the rule, the access will be denied.
So I want to add some key to the url and change access rule according to it so that I can fetch data from the url. For example,
https://<project name>.firebaseio.com/<database name>.json?some_key=<some_key>.
I do not need personal keys so I want only one key just like when we get information from open APIs. For example, when I use weather api, I get my api key from the host and adds the key to url.
Is this possible? If it is, I wonder two things.
the key that I can use (for example, realtime base wep API key)
access rule of realtime database
You can't pass parameters to the Firebase database like this:
https://<project name>.firebaseio.com/<database name>.json?some_key=<some_key>
But if you change the order of the values, it suddenly becomes possible:
https://<project name>.firebaseio.com/<some_key>/<database name>.json
We then change the security rules to only allow access when somebody already knows the secret key:
{
"rules": {
".write": false,
"$some_key": {
".read": true
}
}
}
Now the secret key is part of the path of the data, and only a user that already knows the key can read the data for that key.

How to check for authenticated users on Google Cloud Function

I am building a web site and decided to go pure HTML+JS with full Firebase so I don't have to implement a backend system to test new ideas. The use case for this question is that all users should be authenticated in order to get access to the pages (pretty standard security feature, right?).
To accomplish that, I am taking advantage of Google Cloud Functions to check whether a user is signed in or not before allowing access to the pages.
Here is the code implemented on firebase.json:
"hosting": {
"rewrites": [ {
"source": "/home.html",
"function": "home"
} ]
}
Inside the home function, I run the following code to check whether the Id Token is a valid one:
admin.auth().verifyIdToken(idToken).then((decodedToken) => {
const userId = decodedToken.uid;
})
The problem I am facing is that the value for idToken is invalid:
Firebase ID token has incorrect algorithm. Expected "none" but got
"RS256"
I tried to copy & past the value from result.credential.accessToken, but I still get the same error message.
firebase.auth().getRedirectResult().then(function(result) {
if (result.credential) {
var token = result.credential.accessToken;
}
});
Any help will be very appreciated.
Thanks!
I understand that you direct the HTTPS requests to your home HTTPS Cloud Function.
You should pass the Firebase ID token as a Bearer token in the Authorization header of the HTTP request, as explained and demonstrated in the following official Cloud Function sample.

Getting Permission Denied for read and write

I got my app working with read and write with wide-open permissions and now I'm locking it down. My app won't read or write though. I get permission denied errors despite the Firebase rules simulator saying that my rules are ok for a Facebook authenticated user whose UID I got from a successful firebase signInWithProvider. What am I missing?
{
"rules": {
"items": {
"$uid": {
// user must match the authenticated user
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
}
}
This is my data structure:
my-firebase-app
-items: {
-<uid123> : [
{label:'apple'},
{label:'banana'}
]
-<uid456> : [
{label:'pear'},
{label:'cherry'}
]
}
I sign into firebase after facebook auth by doing, firestack.auth.signInWithProvider(provider, facebookAccessToken, ''), which gives me my user object including uid
I push to /items/uid123 and get an item id, 333
I set the item {label:'apple'} for the new ID (333) at /items/uid123/333
I subscribe to the collection of items at /items/uid123 by doing this with the web sdk: itemsRef.child(uid).on('value', (snapshot) => .....
My set call looks like,
const newPostRef = itemsRef.child(uid).push();
newPostRef.set(itemWithID)
set promise gets rejected with permission denied error.
All the things above work fine if my .read and .write are simply set to true which leads me to think my syntax or structure is just off in the rules def. Would love some input.
There is nothing wrong with the security rules, and in theory, both the set and the query operations look fine.
In practice however, you are making a grave mistake. As you revealed in the comments, you are trying to use both the Web SDK and the react-native-firestack library at the same time!
The authentication state is not shared between the two, thus the on('value') query is completely unauthenticated. If you added the third parameter to on (the cancel callback), you would see the permission denied error.
You must eliminate the web SDK completely, and use the realtime database via firestack too.

Firebase Security Rules Block Writing to Firebase

Note: This question is tagged polymer because the Polymer library is used to generate the Javascript.
This question is about two different but related problems dealing with Firebase security. Problem 1 and Problem 2 seem to suggest opposite realities and opposite results when trying to get the Firebase security rules to work. (FWIW: Here is my prior unsuccessful attempt to write this question.)
Here is the live code in a JSBin.
http://jsbin.com/hinehoyigo/edit?html,output
Problem 1
Firebase Security Rules Block Writing to Firebase
Instructions
Enter your firebase ID. Example: "hot-sauce-123"
In a new tab or window, go to your firebase and open it
Allow anonymous auth:
Your firebase
> Login & Auth
> Anonymous tab
> Check "Enable Anonymous User Authentication"
Apply no security rules: Security & Rules >
{
"rules": {
".read": true,
".write": true
}
}
Return back to jsbin
Select "anonymous" as auth provider: dropdown menu > anonymous
Click button labeled "login"
Verify login status per fields to right
Open your console: Chrome > View > Developer > Developer Tools
Click button labeled "Print User to console"
Double-check login status by verifying user object printed to console
Click button labeled "Print Firebase to console"
Verify correct firebase by checking Firebase URL printed to console
Click button labeled "Write to Firebase — Plain Url"
Check your firebase data; notice no write occured
Click button labeled "Write to Firebase — .json Url"
Check your firebase data; notice successful write
Distinguish the two write attempts because former attempts to write {"quux":"baz"};
latter attempts to write {"jquux":"jbaz"}
Add security rules: Security & Rules >
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid === $uid",
".write": "auth != null && auth.uid === $uid"
}
}
}
}
Click again the button labeled "Write to Firebase — .json Url"
Check your firebase data; notice write NOW FAILS
Conclusion / Problem Statement: Firebase security rules block writing to Firebase.
Problem 2
Simulator blocks .json URL from being used (as required above)
Instructions
Open your Firebase
Verify security rules are in place (see above step #19 in Problem #1)...
Open your simulator: Vertical Navigation Menu > Simulator
Check radio button labeled "Custom Auth"
Custom Auth input field should read something like
"{ provider: 'anonymous', uid: 'ag69g401-f097-4171-bca4-927fd1a6e1f3' }"
Click button labeled "Authenticate"
Verify little green check mark is next to radio button labeled "Custom Auth"
Go to section 2
Click tab labeled "Write"
In input field labeled URL, enter "users/ag69g401-f097-4171-bca4-927fd1a6e1f3/foo/bar"
Verify the user ID in the URL path you just entered, matches the uid value in the above Custom Auth field
Click button labeled "Simulate Write"
Notice response says something like:
Attempt to write {"key":"value"} to /users/ag69g401-f097-4171-bca4-927fd1a6e1f3/foo/bar with auth={"provider":"anonymous","uid":"ag69g401-f097-4171-bca4-927fd1a6e1f3"}
/
/users
/users/ag69g401-f097-4171-bca4-927fd1a6e1f3:.write: "auth != null && auth.uid === $uid"
=> true
Write was allowed.
Notice: This result is the opposite result from above steps #14 and #15 where the plain URL (without .json appended) failed to write
Append ".json" to the URL so the input field reads something like
"users/ag69g401-f097-4171-bca4-927fd1a6e1f3/foo/bar.json"
Click button labeled "Simulate Write"
Notice response says something like:
Invalid path. Simulation aborted.
Notice: This result is the opposite result from above steps #16 and #17 where the .json appended URL was the only one that worked;
Notice these simulator tests suggest the opposite results than those tested from the live code in above Problem #1
Problem 1
You're using the Polymer firebase-auth element to authenticate with Firebase.
<firebase-auth id="firebaseLogin"
user="{{user}}"
...
Under the hood this calls the Firebase.authAnonymously() method, which authenticates the current session in the Firebase JavaScript SDK.
You're writing to Firebase using:
computeFbTargetJson: function(f) {
return f + '.json';
}
and
this.set('$.ajax.url' , this.fbTargetJson);
this.set('$.ajax.body' , JSON.stringify({
jquux: 'jbaz'
}));
this.$.ajax.generateRequest();
This is doing an AJAX request to Firebase, which means that you're using Firebase's REST API. But since this is a regular HTTP call, it will not "inherit" then authentication from the Firebase JavaScript client.
To authenticate your REST request, you will need to pass in an auth parameter as documented in the Firebase documentation. You can get the token from the Firebase reference using ref.getAuth().token.
Problem 2
Each element in your Firebase database is accessibly by a unique URL. You can either access it with one of the Firebase SDKs or by directly accessing the REST API that Firebase exposes.
From what I can gather from the jsbin, you're writing to Firebase using:
computeFbTargetJson: function(f) {
return f + '.json';
}
and
this.set('$.ajax.url' , this.fbTargetJson);
this.set('$.ajax.body' , JSON.stringify({
jquux: 'jbaz'
}));
this.$.ajax.generateRequest();
This is doing an AJAX request to Firebase, which means that you're using Firebase's REST API. The first paragraph of that API documentation explains how Firebase database URLs map to the REST API:
We can use any Firebase app URL as a REST endpoint. All we need to do is append .json to the end of the URL and send a request from our favorite HTTPS client.
So in order to access any data in Firebase using the REST API, you append .json to the URL of that data.
When you're using the Firebase Simulator, the operation is similar to using Firebase's JavaScript SDK. In that case, you should not put the .json suffix at the end of the URL.
So given a Firebase database at https://mine.firebaseio.com/, say you have a user profile at /users/de01fc8104.
You can access that record in the simulator or with a Firebase SDK as https://mine.firebaseio.com/users/de01fc8104
To access the record using the REST API, the URL is https://mine.firebaseio.com/users/de01fc8104.json
Summary
Both of your problems are caused by the fact that you're using two different ways of accessing Firebase: the JavaScript SDK and the REST API. While these two methods can be used together, you will have to ensure you provide the information that is needed. In general you will have an easier experience if you stick to using one way of accessing Firebase from a single client.
#FrankvanPuffelen's answer in Polymer-speak translates into:
Use the <firebase-collection> element's .add() method to write data to Firebase from the client while under security rule enforcement. It's more efficient from a code standpoint as firebase-collection handles all the necessary auth tokens for you automatically.

Fetching custom fields from auth object in Firebase

I am trying to invalidate/revoke client's auth token when they sign on a different device. Initial auth-token is supplied through our server and not firebase (but uses the same secret key, hence works with firebase too).
For each user we save an associated password which gets passed as part of auth-token, when user switches the device - we issue a new password from the server and compare password to invalidate token on server. Firebase connection however still persists.
I am trying to store passwords on firebase for each user. This can then be updated every time we change the password at the backend and use it to invalidate the firebase token as well. However, I am not able to extract password from the auth object. Any ideas?
This is my firebase security rule.
{
"rules": {
".read": root.child('passwords').child(auth.uid).val() == auth.password,
".write": root.child('passwords').child(auth.uid).val() == auth.password
}
}
Surprisingly, none of the custom field in auth object are present.
Whatever you put in the custom auth object would be available in security rules and would be part of the authData returned after authenticating on the client. When you're creating the JWT, you have to follow Firebase's specific rules, which are outlined here. The important part being that a d key contains the authentication data you want to make available. Here's basic example of what the payload might look like.
{
"v": "0",
"iat": 1448391639,
"d": {
"uid": "user1234",
"password": "mySecretPassword"
}
}
http://jwt.io/ is a great tool for quickly creating JWTs for testing. If you use the payload above in conjunction with your Firebase secret, you should see the same payload within your auth data and security rules.
f.authWithCustomToken('eyJhbGciOiJIUz...', function(err, data) {
if (err) {
// Handle error
} else {
console.log(data.auth); // {uid: "userId1234", password: "mySecretPassword"}
}
});

Resources