Note: This question is tagged polymer because the Polymer library is used to generate the Javascript.
This question is about two different but related problems dealing with Firebase security. Problem 1 and Problem 2 seem to suggest opposite realities and opposite results when trying to get the Firebase security rules to work. (FWIW: Here is my prior unsuccessful attempt to write this question.)
Here is the live code in a JSBin.
http://jsbin.com/hinehoyigo/edit?html,output
Problem 1
Firebase Security Rules Block Writing to Firebase
Instructions
Enter your firebase ID. Example: "hot-sauce-123"
In a new tab or window, go to your firebase and open it
Allow anonymous auth:
Your firebase
> Login & Auth
> Anonymous tab
> Check "Enable Anonymous User Authentication"
Apply no security rules: Security & Rules >
{
"rules": {
".read": true,
".write": true
}
}
Return back to jsbin
Select "anonymous" as auth provider: dropdown menu > anonymous
Click button labeled "login"
Verify login status per fields to right
Open your console: Chrome > View > Developer > Developer Tools
Click button labeled "Print User to console"
Double-check login status by verifying user object printed to console
Click button labeled "Print Firebase to console"
Verify correct firebase by checking Firebase URL printed to console
Click button labeled "Write to Firebase — Plain Url"
Check your firebase data; notice no write occured
Click button labeled "Write to Firebase — .json Url"
Check your firebase data; notice successful write
Distinguish the two write attempts because former attempts to write {"quux":"baz"};
latter attempts to write {"jquux":"jbaz"}
Add security rules: Security & Rules >
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid === $uid",
".write": "auth != null && auth.uid === $uid"
}
}
}
}
Click again the button labeled "Write to Firebase — .json Url"
Check your firebase data; notice write NOW FAILS
Conclusion / Problem Statement: Firebase security rules block writing to Firebase.
Problem 2
Simulator blocks .json URL from being used (as required above)
Instructions
Open your Firebase
Verify security rules are in place (see above step #19 in Problem #1)...
Open your simulator: Vertical Navigation Menu > Simulator
Check radio button labeled "Custom Auth"
Custom Auth input field should read something like
"{ provider: 'anonymous', uid: 'ag69g401-f097-4171-bca4-927fd1a6e1f3' }"
Click button labeled "Authenticate"
Verify little green check mark is next to radio button labeled "Custom Auth"
Go to section 2
Click tab labeled "Write"
In input field labeled URL, enter "users/ag69g401-f097-4171-bca4-927fd1a6e1f3/foo/bar"
Verify the user ID in the URL path you just entered, matches the uid value in the above Custom Auth field
Click button labeled "Simulate Write"
Notice response says something like:
Attempt to write {"key":"value"} to /users/ag69g401-f097-4171-bca4-927fd1a6e1f3/foo/bar with auth={"provider":"anonymous","uid":"ag69g401-f097-4171-bca4-927fd1a6e1f3"}
/
/users
/users/ag69g401-f097-4171-bca4-927fd1a6e1f3:.write: "auth != null && auth.uid === $uid"
=> true
Write was allowed.
Notice: This result is the opposite result from above steps #14 and #15 where the plain URL (without .json appended) failed to write
Append ".json" to the URL so the input field reads something like
"users/ag69g401-f097-4171-bca4-927fd1a6e1f3/foo/bar.json"
Click button labeled "Simulate Write"
Notice response says something like:
Invalid path. Simulation aborted.
Notice: This result is the opposite result from above steps #16 and #17 where the .json appended URL was the only one that worked;
Notice these simulator tests suggest the opposite results than those tested from the live code in above Problem #1
Problem 1
You're using the Polymer firebase-auth element to authenticate with Firebase.
<firebase-auth id="firebaseLogin"
user="{{user}}"
...
Under the hood this calls the Firebase.authAnonymously() method, which authenticates the current session in the Firebase JavaScript SDK.
You're writing to Firebase using:
computeFbTargetJson: function(f) {
return f + '.json';
}
and
this.set('$.ajax.url' , this.fbTargetJson);
this.set('$.ajax.body' , JSON.stringify({
jquux: 'jbaz'
}));
this.$.ajax.generateRequest();
This is doing an AJAX request to Firebase, which means that you're using Firebase's REST API. But since this is a regular HTTP call, it will not "inherit" then authentication from the Firebase JavaScript client.
To authenticate your REST request, you will need to pass in an auth parameter as documented in the Firebase documentation. You can get the token from the Firebase reference using ref.getAuth().token.
Problem 2
Each element in your Firebase database is accessibly by a unique URL. You can either access it with one of the Firebase SDKs or by directly accessing the REST API that Firebase exposes.
From what I can gather from the jsbin, you're writing to Firebase using:
computeFbTargetJson: function(f) {
return f + '.json';
}
and
this.set('$.ajax.url' , this.fbTargetJson);
this.set('$.ajax.body' , JSON.stringify({
jquux: 'jbaz'
}));
this.$.ajax.generateRequest();
This is doing an AJAX request to Firebase, which means that you're using Firebase's REST API. The first paragraph of that API documentation explains how Firebase database URLs map to the REST API:
We can use any Firebase app URL as a REST endpoint. All we need to do is append .json to the end of the URL and send a request from our favorite HTTPS client.
So in order to access any data in Firebase using the REST API, you append .json to the URL of that data.
When you're using the Firebase Simulator, the operation is similar to using Firebase's JavaScript SDK. In that case, you should not put the .json suffix at the end of the URL.
So given a Firebase database at https://mine.firebaseio.com/, say you have a user profile at /users/de01fc8104.
You can access that record in the simulator or with a Firebase SDK as https://mine.firebaseio.com/users/de01fc8104
To access the record using the REST API, the URL is https://mine.firebaseio.com/users/de01fc8104.json
Summary
Both of your problems are caused by the fact that you're using two different ways of accessing Firebase: the JavaScript SDK and the REST API. While these two methods can be used together, you will have to ensure you provide the information that is needed. In general you will have an easier experience if you stick to using one way of accessing Firebase from a single client.
#FrankvanPuffelen's answer in Polymer-speak translates into:
Use the <firebase-collection> element's .add() method to write data to Firebase from the client while under security rule enforcement. It's more efficient from a code standpoint as firebase-collection handles all the necessary auth tokens for you automatically.
Related
I'm beginner and I'm developing a chrome extension that shows data received from my firebase realtime database. It does not need Login, or any personal information.
I'm trying to use REST API. Until now I have been in a test mode so I opened access to data for all. But Google keeps mailing me that I have to change the access rule because it is dangerous.
My present access rule is this:
{
"rules": {
".read": true,
".write": false
}
}
Now, I fetch data from https://<project name>.firebaseio.com/<database name>.json. But if I change the rule, the access will be denied.
So I want to add some key to the url and change access rule according to it so that I can fetch data from the url. For example,
https://<project name>.firebaseio.com/<database name>.json?some_key=<some_key>.
I do not need personal keys so I want only one key just like when we get information from open APIs. For example, when I use weather api, I get my api key from the host and adds the key to url.
Is this possible? If it is, I wonder two things.
the key that I can use (for example, realtime base wep API key)
access rule of realtime database
You can't pass parameters to the Firebase database like this:
https://<project name>.firebaseio.com/<database name>.json?some_key=<some_key>
But if you change the order of the values, it suddenly becomes possible:
https://<project name>.firebaseio.com/<some_key>/<database name>.json
We then change the security rules to only allow access when somebody already knows the secret key:
{
"rules": {
".write": false,
"$some_key": {
".read": true
}
}
}
Now the secret key is part of the path of the data, and only a user that already knows the key can read the data for that key.
It is hard for me to understand why the simulator puts me off for this input
I supplied this auth token body:
{
"account": "7xms2zm6noz03f2mvn",
"playerId": "d3221a31-263c-4629-92fb-6cac89b67088"
}
I am using custom authentication to supply the above blob.
Please see the attached screenshot for how the simulator treats this:
This is my database tree:
What am I missing?
It appears that when you use the simulator, the "auth token payload" is actually at the auth level, not at the auth.token level.
So, you need to simulate the auth.token.account claim like this:
{
"token": {
"account": "7xms2zm6noz03f2mvn",
"playerId": "d3221a31-263c-4629-92fb-6cac89b67088"
}
}
You can tell it is (apparently) misnamed because if, for example, you select the "Google" provider, then provider and uid are both at the top level of this blob (which can't be modified), and that is where you would expect to find them.
Likewise this image from this blog post shows the token block as a sub-block in the simulator.
I'm sure I'm missing something wrt Firebase Storage rules, but I've done the following:
STEP 1
Firstly I set the following Firebase Storage rule:
service firebase.storage {
match /b/{bucket}/o {
match /items/{dev_key}/{perm_id}/{file_name} {
allow write: if request.auth.uid == dev_id;
allow read: if request.auth.token.permId == perm_id;
}
}
}
I expected only signed in users with a custom claim permId matching the relevant location to be able to download the file, allow read: if request.auth.token.permId == perm_id;.
So, I then set a custom claim in Cloud Functions on a user as follows:
STEP 2
admin.auth().setCustomUserClaims(uid, {permId: '1'}).then(() => {
// send off some triggers to let user know the download is coming
admin.database().ref(`collection/${uid}/${itemId}`).update({
downloadReady: true
});
});
Then I signed the user out and signed back in again... which set the custom claims.
I checked that they were set in Cloud Functions as follows:
STEP 3
admin.auth().verifyIdToken(idToken).then((claims) => {
console.log("--------------claims -------------");
console.log(JSON.stringify(claims));
});
And I saw in the claims string... permID: "1"
On the client side I then requested a downloadURL (here is hopefully where I'm going wrong)... I expected this to not be the public download url but rather the download url that the Firebase Storage security rules will check:
STEP 4
var pathReference = storage.ref('items/<some-key>/1/Item-1');
pathReference.getDownloadURL()
.then((url)=>{
console.log("url: ", url);
})
The url I received from this call gave me this link
https://firebasestorage.googleapis.com/v0/b/emiru84-games.appspot.com/o/games%2FcfaoVuEdJqOWDi9oeaLLphXl0E82%2F1%2FGame-1?alt=media&token=45653143-924a-4a7e-b51d-00774d8986a0
(a tiny little image I use for testing)
So far so good, the user with the correct claim was able to view this image
I then repeated step 2, logout/login again, except this time with a permId of "0". I expected the url generated previously to no longer work since my user no longer had the correct custom claim... and the bucket location was still at the same location (bucket/dev_key/1/filename) but it still worked.
If I repeated step 4 I got a new url, which then gave the appropriate 403 error response. However the old url still worked (I guess as long as the token parameter is tacked on). Is this expected, if so, I'm not sure I understand how the Storage security rules make a difference if the download url is public anyway?
Any help clearing my foggy brain would be appreciated.
The download URL in Cloud Storage for Firebase is always publicly readable. It is not affected by security rules.
If you don't want to allow public access to a file, you can revoke its download URL.
i am new to firebase. i have set up a firebase realtime database and can read from and write to it if the read and write rules are set to true.
i have a problem with authentication.i have set up authentication for google and email plus password.
my goal is to allow any user to read the data but only one user (myself) can write data after logging in using a single email address and password.
i can successfully read from and write to the database if i login with google (with rules set to: auth != null.)
i can also read from and write to the database using the same rules (auth != null) if i log in with the email address and password.
i don't know how to set it up to only allow write access for the single user logging in with an email address and password.
i have tried including a user node in the rules but i can't get access when using the simulator (see below) and i don't know how to include the uid (which i can get after logging in) when building the reference - this is the reference i currently use (which works with the read and write rules set to true):
DatabaseReference databaseReference = mRootReference.child("Action_helper/1/Action_table_of_contents");
i have not included a users node in my database as i am assuming that is taken care of by firebase authentication.
here is the layout of my data:
i have tried the simulator using various rules options. testing access using these settings in simulator (choosing the Custom provider option):
Auth {"provider" : "firebase", "uid" : "Rp3OgoaABMN3hqTv0aF29ECQRCQ2"}
note: i get the provider and uid from Firebase object after logging in with an email address and password which i have set up in Firebase authentication:
FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
if (user != null) {
// User is signed in
userId = user.getUid();
String provider = user.getProviderId();
i would appreciate some help in 1) formulating my rules, 2) if and how i should change my data structure, and finally 3) how to include the uid in the database reference which i'll use to write data to the database.
thanks
There is no users node so, defining in rules would not help. I think the rule that may work would be something like below (assuming 0 and 1 are uid):
{
"rules": {
"Action_helper":{
"$uid":{
//user-based security
".read": "auth != null && $uid === auth.uid",
".write": "auth != null",
}//$uid
}//Action_helper
}// rules
}
Examining above rules by default if we do not define rules then it is false i.e. at Action_helper it is false for both read and write. When it comes to the node uid (where $ denotes wild card) then, we check if the user id of logged in user is same to uid of this node and define rules accordingly.
I highly recommend to go
through the link The key to Firebase security - Google I/O 2016 , it is very helpful, easy to follow, and best explanation I found so far with demo example.
The data layout will depend on your requirement and screens. Although Firebase allows 32 level of nesting it is highly recommended to nest nodes as less as possible. And other important thing to think about the data layout is to keep data as denormalize as possible even if we
have to make copies of fields across the nodes.
To include uid in database reference you can keep on appending each child:
DatabaseReference databaseReference = mRootReference.child("Action_helper).child(uid).child("Action_table_of_contents");
So, here we are referring from root node to child "Action_helper" and going further down to it's child that matches uid and of that uid we are referencing to the child "Action_table_of_contents".
thanks for the help. i managed to get it working (partly) but am not sure that i am doing it correctly. here is my data structure (i have changed the names)- there is one user node (using the authentication uid), and two child nodes which contain the data:
and here are my rules:
essentially it works in the simulator but in code, i am able to log in and read and write. BUT i now have a problem, if i don't log in then the uid passed in the query reference is null, if i put a dummy value as the uid then i can't access the data at all (as the data is under users/the_valid_uid node and the dummy uid does not match the_valid_uid).
so how do i build a database reference without hard coding the valid user's uid? so that i can access the data in the Addiction_items and table_of_contents_items nodes (my aim is to allow anyone to read data in both nodes but to only allow one user (myself) to be able to write to both nodes after logging in with my email address and password?
thanks
I've recently built an app using Firebase as the data store and secured it using the security rules that only the user can read and edit their data which all works fine.
But now I want to build an admin section to list users and update details if need be, but the problem I'm running into is the fact that I cant access their data as I'm not the user. I'm seeing if its possible to allow read or write permissions to the user or admin?
UPDATE
Token generation
var tokenGenerator = new FirebaseTokenGenerator(authSecret);
var token = tokenGenerator.createToken({admin: true});
Security rule
".read": "auth.admin == true || otherauthmthod"
The method that you described above will work, assuming you update your security rules to look for the auth.admin bit. Alternatively, and likely a bit easier, is to generate an admin token, which will allow you to skip the execution of security rules entirely. This can be accomplished via:
var token = tokenGenerator.createToken({ any: "data" }, { admin: true });
See https://github.com/firebase/firebase-token-generator-node for more details.