Authenticated server with a secret is not admin

Question

I don't understand why my node server, authenticated with authWithCustomToken(secret,funct()) seems to not get the admin privilege :

   myFirebaseRef = new Firebase(url);
   myFirebaseRef.authWithCustomToken(secret,function(error, authData) {
      if (error) {
        console.log(currTime() + " [CONFIG] ... Firebase authentication failed!", error);
      } else {
        console.log(currTime() + " [CONFIG] ... Firebase authentication succeeded, authData : " + JSON.stringify(authData));
      }
   }

Authentication seems successfull :

07:13 [CONFIG] ... Firebase authentication succeeded, authData : {"auth":null,"expires":null,"token":"","uid":null,"provider":"custom"}

When my server tries to update a child :

FIREBASE WARNING: update at /bd/google:112747494449447764778/9782871294917 failed: permission_denied

My client-side code is authenticated correctly and get the expected permissions.

My rules :

    {
    "rules": {
      ".read": true,
      "bd": {
        ".read": true,
        "$usernode": {
          ".read": true,
          ".write": "auth != null && auth.uid == $usernode"
         }
       }
     }
   }

Any hints ?

Are you sure authentication is a succes? Because auth is null — André Kool, Apr 11 '16 at 11:16
Should I not get an error in that case ? Also, any way to debug security on my firebase side ? — Sylvain YVON, Apr 11 '16 at 13:31
This thread suggests that the auth data is expected to be empty when a secret is used instead of a JWT. http://stackoverflow.com/questions/29594308/firebase-secret-authentication-returning-null-payload — Sylvain YVON, Apr 11 '16 at 17:24

score 0 · Answer 1 · answered Apr 11 '16 at 17:42

0

The url I was refering to in my Firebase object was not the root, but "/bd". The server does have the admin rights once this is corrected.

answered Apr 11 '16 at 17:42

Sylvain YVON

43
8

Authenticated server with a secret is not admin

1 Answers1