Firestore; security rules : if request.auth != null;

Thank you a lot for the idea and the screenshots! I gave it a try: but even logging out, re-starting the app and logging in again did not solve the problem. :exploding_head:

My ongoing trail and error approach also showed this crazy situation:

  • using: “allow read, write: if request.auth == null;” makes the application work despite the fact, that at the same time the app displays the UserID of the currently logged in user.
    image

image
Screenshot from iOS preview:
image

Somehow the security rule functions upside down :flushed:

Might this be connected to the trouble I am seeing??

  • log-in with iOS-preview is possible (like described above)
  • log-in with web-preview does not work

This is strange. I not sure if this is going to work. You may clear the cashe and data of the Appgyver app from your phone and check.

BTW have you enabled anonymous, if so, try to disable.

The problem stays the same,

  • despite deleting the iOS-preview app and re-installing it.
  • and ‘anonymous’ was and is disabled.
    image

Anything else I can do?

I have tried it with HTTP request node, too, and I could not log in. I think there is a bug when using web preview.

BTW, I successfully created a new user via the web preview.

Your explanation of the bug is not entirely clear to me. Can you give some more details, about how you see the bug, please?

From my perspective:

  • log-in: that works in the preview app → as proof for successful login: the preview-app can display the credentials of the logged in user (e.g. the userID).
  • user creation: that works in the preview-app (in both cases: a user is already logged-in or no user is logged-in).

Not working:

  • log-in the preview-app and use data from Firebase, when the security rule in firebase is set to
    < allow read, write: if request.auth != null; >

Hi there,
Despite spending the week in reading everything I find about the firebase security rules, I still don’t find the solution. :hot_face:

  • Please, has anybody more ideas why the rule below is not working in the iOS preview app, despite a user is logged in?
  • to understand if it is just me or a general topic: Does the rule work in your apps ?
  • to me the data security is crucial to process user data responsibly!

image

Hey,

Ok my setup on firebase is a bit different to yours. It allows me to access all the info but I need to be logged in first.

Here is a screen shot of the coding etc:

It is very basic and allows everyone read and write access to the entire database.

For now it isnt perfect but it is preventing guests from accessing the database.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if true;
      allow write: if true;
    }
  }
}

I hope this helps you. If not just PM me and I can see what else I can assist with

Hi,
thank you so much for sharing the rules you are using!! :+1:

  • when I use the rules you shared, my app can read and write data into firebase as well.
  • Important: actually I am afraid you are mistaken about the protection of the set-up you shared: ‘allow read, write: if true;’ does not protect anything of your database. On the contrary any guest (or hacker) can take your API from your app (the API isn’t secret!) and abuse your database in every way. This is because the condition ‘if true’ is always true. This condition does not require authentication at all. (for more details: Writing conditions for Cloud Firestore Security Rules )
  • nevertheless, can you please go one step further with me and do a test:
  1. please change only the condition into 'allow read, write: if request.auth != null; ’
    this condition requires the user to be authenticated (= logged in).
  2. Then please log in into the preview of your app and try if you can still get the data from firebase.

It would be great if we could achieve a little bit of clarity about the security rules togehter! I am very curious how it will work for you.

Hey,

I have good news, It looks like i worked my side and I was able to log in without a problem.

I was thinking, create a alert on the non successful login attempt and in the message select:

outputs[“Email & password authentication (Firebase Auth)”].error.rawError

Thank you for your suggestion!

I understand, that you used the condition 'allow read, write: if request.auth != null; ’ in your firebase security rule and then were able to login successfully. Actually that works fine for me as well and I doublechecked with your suggestion in the screenshot.

But I do not understand, if you were able to read or write data while using the condition 'allow read, write: if request.auth != null; ’
Did that work for you?

Yes, I was able to read and write to the database. Both work.

Are you able to do both as well?

Sadly I still can not read or write when using this security rule 😵‍💫

Oh no,

What raw error message does it give you if you put the alert on the get record collection?

image
Alert is set to:
image

It shows the following raw error in preview (both PC and iOS):
{“error”:{“code”:403,“message”:“Missing or insufficient permissions.”,“status”:“PERMISSION_DENIED”}}

I have used the rule below and it is working just fine:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write:if request.auth != null;
    }  
  }
}

I tried another rule , and it is working, too:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write:if request.auth.uid != null;
    }  
  }
}

BTW, if there is a firewall, try to disable it and re-check.

Thank you @Mazen_Al-Sakkaf and @Ashley_Mclean for your feedback when using these security rules in firebase. With your hints I now found that the troubles commences with the type of the data resource:

  1. Sadly the type “Google firebase / Cloud firestore” lacks the ability to work with sub-collections. (Firestore: get sub-collection - #4 by stayfoolish and Firebase firestore nested collections - #4 by Mari). :sleepy:
  2. To use sub-collections I followed the tutorials to the type “REST API direct integration”
  1. But I did not realize until now, that I separated the authentication from the data resource. This resulted in the disfunction when using a security rule.

Do you know where I can find an instruction, how to use “REST API direct integration” together with the authentication?

Hi,

Did you have a look at the following info for roles etc?

I am not sure if this could help you…

Thank you, Ashley, these roles are good to know!
While your link above seems to be more about administration roles, especially this part of the docs proofed to be very helpful:
https://firebase.google.com/docs/reference/rest/auth?hl=en#section-sign-in-email-password

Thankfully I figured something out, that allows the use of the Firestore security rules AND nested collections in Firestore. Hopefully the following discription can be beneficial for others, who stumble across the same issues as well:

  1. Delete the flow function “Email and password authentication (Firebase Auth)” , because it does not return the idToken in its outputs.
  2. Instead use a “http request” flow function with POST:
    URL:
    body:
  3. save the idToken into a AppVariable by using the output:
    image
  4. Adding ‘Authorization’ to the header of the ‘REST API direct integration’ in the data configurator.
  5. For GET, POST and DELETE: Binding the AppVariable with the idToken to the header
    image
    image
  6. For PATCH: Setting it into the header of the ‘http request’ (can not be done in the data configurator currently until PATCH is included in the data configurator)
    image
    image

Now the Firestore security rule works with my App: :sweat_smile:
image

I learnd about the solution thanks to this course in udemy.com, which I recommend to everyone starting AppGyver withFirebase: Complete Firebase Course by @o.ezzat :+1:

For the future there is the hope, that functionality of the Firebase-Connector grows and will include

  • nested collections
  • idToken in outputs

Then it should be better to use the pre-built flow function around Firebase Auth. Because most likely with the posted solution there will be other issues on the road, that I am not seeing currently (e.g. ensuring the persistance of the log-in)… But that might be a topic for another thread :wink:

4 Likes

Thank you @stayfoolish for the tutorial. It’s very helpful. Did you managed to get the idToken when the user is already signed in? FireBase Auth functions in AppGyver return a refresh token which can be used to get an ID token (See this reference doc. However I can’t retrieve the fresh token returned by Auth node. Please post here if you have any success.

1 Like