I have a chat app using Firebase that keeps on having a
setValue at x failed: DatabaseError: permission denied
error every time I type a message.
I set my Database to be public already:
service cloud.firestore {
match /databases/{database}/documents {
match /{allPaths=**} {
allow read, write: if request.auth.uid != null;
}
}
}
Is it something from within my chat reference?
private void displayChat() {
ListView listOfMessage = findViewById(R.id.list_of_message);
Query query = FirebaseDatabase.getInstance().getReference();
FirebaseListOptions<Chat> options = new FirebaseListOptions.Builder<Chat>()
.setLayout(R.layout.list_item)
.setQuery(query, Chat.class)
.build();
adapter = new FirebaseListAdapter<Chat>(options) {
#Override
protected void populateView(View v, Chat model, int position) {
//Get reference to the views of list_item.xml
TextView messageText, messageUser, messageTime;
messageText = v.findViewById(R.id.message_text);
messageUser = v.findViewById(R.id.message_user);
messageTime = v.findViewById(R.id.message_time);
messageText.setText(model.getMessageText());
messageUser.setText(model.getMessageUser());
messageTime.setText(DateFormat.format("dd-MM-yyyy (HH:mm:ss)", model.getMessageTime()));
}
};
listOfMessage.setAdapter(adapter);
}
Your code is using the Firebase Realtime Database, but you're changing the security rules for Cloud Firestore. While both databases are part of Firebase, they are completely different and the server-side security rules for one, don't apply to the other.
When you go the database panel in the Firebase console, you most likely end up in the Cloud Firestore rules:
If you are on the Cloud Firestore rules in the Firebase console, you can change to the Realtime Database rules by clicking Cloud Firestore BETA at the top, and then selecting Realtime Database from the list.
You can also directly go to the security rules for the Realtime Database, by clicking this link.
The security rules for the realtime database that match what you have are:
{
"rules": {
".read": "auth.uid !== null",
".write": "auth.uid !== null"
}
}
This will grant any authenticated user full read and write access to the entire database. Read my answer to this question on more on the security/risk trade-off for such rules: Firebase email saying my realtime database has insecure rules.
change this
request.auth.uid != null
to
request.auth.uid == null
or defined a proper auth mechanism before starting the conversation where user defined by userID
Related
Hi I have the Firebase project, and when I create the databases, I create some rules for testing.
Now, they expire, and they close my project.
It is my first time working with Firebase projects, and I have no experience. I show you how I have defined the rules for both Cloud Firestore and the Realtime Database.
The project is an application in which users can register and leave their comments.
How should I set the rules for my databases to be secure?
How should I write my rules code?
I was absent from my project for a few days and they wrote to me from Google, which closes my project in two days. I have looked for information, but I do not know how to create the rules so that they are correct and my project also works
I EDIT MY QUESTION to add details
In my application I only want registered users to be able to write comments.
The alert that Firebase shows me is the following:
"Its security rules are defined as public, so anyone can steal, modify or delete data from its database."
The databases are empty, so there are no records yet.
Can you help me? Firebase will close my project if I don't write the rules right, the rules shouldn't be public.
I read the documentation that Firebase offers, but I don't really understand how to create my rules.
They show something like this, for authenticated users:
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
And on the other hand they show these rules:
**// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}**
I don't know which one I should use exactly, and how I should write them, so that in my React Native app users can leave feedback.
Can you help me ?
I show the code of the rules of my databases
//REALTIME DATABASE
{
"rules": {
".read": true,
".write": true
}
}
//CLOUD FIRESTORE
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// This rule allows anyone with your database reference to view, edit,
// and delete all data in your Firestore database. It is useful for getting
// started, but it is configured to expire after 30 days because it
// leaves your app open to attackers. At that time, all client
// requests to your Firestore database will be denied.
//
// Make sure to write security rules for your app before that time, or else
// all client requests to your Firestore database will be denied until you Update
// your rules
match /{document=**} {
allow read, write: if request.time < timestamp.date(2020, 9, 2);
}
}
}
You can use the following rule where only authenticated users can write and read to the database.
For Cloud Firestore:
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
For Realtime Database:
// Only authenticated users can access/write data
{
“rules”: {
“.read”: “auth != null”,
“.write”: “auth != null”
}
}
Speaking through experience, there are two main ways of securing your data:
Set a field in the document such as "userID" and only allow CRUD when the auth.uid value matches this field.
Use the collection-document-collection nature of cloud firestore and write a rule where you allow a user to CRUD all of their own collection. E.g.
match /users/{userID}{
allow read: if request.auth.uid ==userID;
allow write: if request.auth.uid == userID;
match /userDocs/{docID}{
allow read: if request.auth.uid == userID;
allow write: if request.auth.uid == userID;
}
}
Ideally you need to allow only authenticated users to access resource. From you code above
{
"rules": {
".read": true,
".write": true
}
}
The above will allow anybody to read and write to the database even to unauthenticated users.
for firestore as you can see the rules state that it should only allow full priviledge read and write to cloud firestore if only the date has not passed (2020,9,2)
VISIT the link To learn more about firebase database rules
and visit
to learn about firestore rules
You can use firebase authentication for your users then if they are authenticated they can access the database.
My app receives a webhook from a 3rd party service, telling it that data is ready to be queried.
The webhook payload includes:
UserId
ObjectId of the object whose data is ready.
In order to query the data, I need to get an access token:
const { accessToken } = await db
.collection('users').doc(userId)
.collection('objects').doc(objectId)
.get();
// then I can:
fetchUpdatedData(objectId, accessToken)
However, I have rules in place to require that users' data may only be accessed by the user:
# `firestore.rules`
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Reject by default
match /{document=**} {
allow read, write: if false;
}
// Users can edit their own document
match /users/{userId} {
allow read, update, delete: if request.auth.uid == userId;
allow create: if request.auth.uid != null;
}
// Users can manage their subcollections
match /users/{userId}/{document=**} {
allow read, write: if request.auth.uid == userId;
}
}
}
What's the typical way to do this?
It's not possible to use security rules to limit queries coming from backends like Cloud Functions that use any of the server SDKs. Server SDKs initialize with a service account, which always bypass security rules. You're going to have to duplicate the relevant checks from the rules in your backend code to check if the query should be done on behalf of the user.
I have a small, personal Firebase webapp that uses Firebase Database. I want to secure (lock down) this app to any user from a single, specific domain. I want to authenticate with Google. I'm not clear how to configure the rules to say "only users from a single, specific domain (say #foobar.com) can read and write to this database".
(Part of the issue that I see: it's hard to bootstrap a Database with enough info to make this use case work. I need to know the user's email at the time of authentication, but auth object doesn't contain email. It seems to be a chicken-egg problem, because I need to write Firebase rules that refer to data in the Database, but that data doesn't exist yet because my user can't write to the database.)
If auth had email, then I could write the rules easily.
Thanks in advance!
If you're using the new Firebase this is now possible, since the email is available in the security rules.
In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile:
{
"rules": {
".read": "auth != null",
"gmailUsers": {
"$uid": {
".write": "auth.token.email_verified == true &&
auth.token.email.matches(/.*#gmail.com$/)"
}
}
}
}
You can enter these rules in the Firebase Database console of your project.
Here is code working fine with my database , I have set rule that only my company emails can read and write data of my firebase database .
{
"rules": {
".read": "auth.token.email.matches(/.*#yourcompany.com$/)",
".write": "auth.token.email.matches(/.*#yourcompany.com$/)"
}
}
Code which is working for me.
export class AuthenticationService {
user: Observable<firebase.User>;
constructor(public afAuth: AngularFireAuth) {
this.user = afAuth.authState;
}
login(){
var provider = new firebase.auth.GoogleAuthProvider();
provider.setCustomParameters({'hd': '<your domain>'});
this.afAuth.auth.signInWithPopup(provider)
.then(response => {
let token = response.credential.accessToken;
//Your code. Token is now available.
})
}
}
WARNING: do not trust this answer. Just here for discussion.
tldr: I don't think it's possible, without running your own server.
Here's my attempt thus far:
{
"rules": {
".read": "auth.provider === 'google' && root.child('users').child(auth.uid).child('email').val().endsWith('#foobar.com')",
".write": "auth.provider === 'google' && root.child('users').child(auth.uid).child('email').val().endsWith('#foobar.com')",
"users": {
"$user_id": {
".write": "auth.provider === 'google' && $user_id === auth.uid && newData.child('email').val().endsWith('#foobar.com')"
}
}
}
}
I believe the above says "only allow people to create a new user if they are authenticated by Google, are trying to write into the database node for themselve ($user_id === auth.uid) and their email ends in foobar.com".
However, a problem was pointed out: any web client can easily change their email (using the dev console) before the message is sent to Firebase. So we can't trust the user entry's data when stored into Firebase.
I think the only thing we can actually trust is the auth object in the rules. That auth object is populated by Firebase's backend. And, unfortunately, the auth object does not include the email address.
For the record, I am inserting my user this way:
function authDataCallback(authData) {
if (authData) {
console.log("User " + authData.uid + " is logged in with " + authData.provider + " and has displayName " + authData.google.displayName);
// save the user's profile into the database so we can list users,
// use them in Security and Firebase Rules, and show profiles
ref.child("users").child(authData.uid).set({
provider: authData.provider,
name: getName(authData),
email: authData.google.email
});
As you might be able to imagine, a determined user could overwrite the value of email here (by using the DevTools, for examples).
This should work for anyone looking for a Cloud Firestore option, inspired by Frank van Puffelen's answer.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
// Allows all users to access data if they're signed into the app with an email of the domain "company.com"
allow read, write: if request.auth.uid != null && request.auth.token.email.matches(".*#company.com$");
}
}
}
For anyone really not wanting to have unverified accounts logging in. Maybe dirty, but very effective.
This is my workaround (Angular app):
this.userService.login(this.email.value, this.password.value).then(data => {
if (data.user.emailVerified === true) {
//user is allowed
} else {
//user not allowed, log them out immediatly
this.userService.logout();
}
}).catch(error => console.log(error));
I'm trying to allow users to read and write to my Firestore videoFeedback collection from a web app and getting a "Missing or insufficient permissions" error. How do I make sure that my request to Firestore is sent with the correct user authentication (or any authentication at all)?
This is for an Angular app using Firestore and anonymous Firebase authentication. I have already set up an anonymous user. I would like to add a document to my videoFeedback collection from the web app, not the backend. I've already read the official pages on Firestore docs:
Authenticate Anonymously with Firebase
Get Started with Firebase Authentication on Websites
and many more, plus read all SO questions on this topic.
My Firestore object is already set up correctly (I know because I can read/write to the DB if my security rules don't require a non-null request.auth).
Your help is greatly appreciated.
private db: AngularFirestore;
public initFirebaseApp() {
firebase.initializeApp(this.firebaseConfig);
}
public anonymousAuth() {
firebase.auth().signInAnonymously().catch(function(error) {
console.log("ERROR: " + String(error.errorCode) +
" " + String(error.errorMessage))
});
console.log("User is authorized");
}
this.initFirebaseApp();
this.anonymousAuth();
let date_created = new Date().toLocaleString();
let feedback = {
"feedback": "FAKE_FEEDBACK",
"rating": -1,
'created': date_created,
};
firebase.auth().onAuthStateChanged(function(user) {
if (user) {
console.log(user.uid)
this.db.collection('videoFeedback').add(feedback);
}
}.bind(this));
And my security rules look like this
service cloud.firestore {
match /databases/{database}/documents {
match /videoFeedback/{feedback} {
allow read, write: if request.auth != null;
}
}
}
With this configuration, I get the following output:
User is authorized
JAZe9dsIMtdyNe2dhndleIcn9nd2
ERROR Error: Uncaught (in promise): FirebaseError: [code=permission-denied]: Missing or insufficient permissions.
FirebaseError: Missing or insufficient permissions.
at new FirestoreError (index.cjs.js:352)
at index.cjs.js:7274
at Y.<anonymous> (index.cjs.js:7219)
...
When I replace my security rule with
service cloud.firestore {
match /databases/{database}/documents {
match /videoFeedback/{feedback} {
allow read, write;
}
}
}
I get the same, minus the permissions error. This makes me think that it's an issue with the way my request is being sent, not with the data I'm sending or with the setup of the Firestore database.
User is authorized
JAZe9dsIMtdyNe2dhndleIcn9nd2 (or some random string)
What do I need to do to send my request with a non-null request.auth.uid?
I am trying to get access to my firebase data to run a little test. I have setup an app in the firebase console and set the access rules to:
// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
Nevertheless I am always getting the following error:
angular.js:14328 Error: permission_denied at /messages: Client doesn't have permission to access the desired data.
at this line of code:
var ref = firebase.database().ref().child('messages');
What I am I missing?
Those rules are for firestore and not firebase-realtime database.
In the console go to the database section and click on the dropdown then choose RealTime database:
For the realtime database change your rules to this:
{
"rules": {
".read": true,
".write": true
}
}
and then perform the tests.