5

I have very simple write security rule that should only allow users with verified email to write data,

"someNode": {
  ".write": "auth.token.emailVerified === true"
}

For some reason I am still getting permission denied in simulator with specific users token and in my app with same user. I double checked user object in client and it indeed has emailVerified === true hence I am not sure to why this is not working.

Screenshot: enter image description here

Ilja
  • 44,142
  • 92
  • 275
  • 498
  • Can you share a screenshot of the simulator failing? This screenshot should have the path, the rules, the user auth that you specified in the simulator, the failure and the data you're writing. – Frank van Puffelen Feb 26 '17 at 16:24
  • test at the client side will be easier – Oussema Aroua Feb 26 '17 at 16:51
  • @FrankvanPuffelen added, I was only able to use Anonymous auth in simulator, but uid token passed to it is from a test user authenticated via `Email/Password`, same user tested from an actual client (not simulator) receives error of `permission denied` for same rules – Ilja Feb 26 '17 at 17:55
  • 1
    The simulator does not read the actual token of the user. Only the payload that you enter in the simulator is available when simulating the security rules. For anonymous accounts that means that you only get `provider` and `uid`. – Frank van Puffelen Feb 26 '17 at 18:39
  • @FrankvanPuffelen indeed adding that payload in manually in simulator worked, however still experiencing issue in client, where I receive `FIREBASE WARNING: set at /queue/create/tasks/-Kdvoc0u3OWz3_LTDku1 failed: permission_denied` for user who has `emailVerified: true` where `task` refers to `someNode` in my question, changing the rule to `auth !== null` works fine – Ilja Feb 26 '17 at 19:14
  • @FrankvanPuffelen found a solution and posted answer, but that was a lucky find in some forum. If you look at my answer, could you tell me if there is reference in docs I could view that shows that it is `email_verified` that needs to be used? I wasn't able to find it. – Ilja Feb 26 '17 at 19:25
  • @Ilja One more thing. Firebase examples use != and == instead of strict equality. It should be worth knowing the impact of using either. – Sayam Qazi Aug 22 '18 at 09:00

1 Answers1

11

Turns out auth.token.emailVerified should be auth.token.email_verified its a bit inconsistent with how such data is presented on client side.

Ilja
  • 44,142
  • 92
  • 275
  • 498
  • Darn. I was considering that immediately when I saw your question, but thought I'd just misremembered the syntax. I should've checked. :-/ – Frank van Puffelen Feb 26 '17 at 21:35
  • @FrankvanPuffelen I wasn't able to find any reference to this in the docs :/ and it is actually presented as `emailVerified` in user object we get from javascript SDK on client, hence is a bit misleading. – Ilja Feb 26 '17 at 22:14
  • 1
    It *is* documented here: https://firebase.google.com/docs/reference/security/database/#authtoken – Frank van Puffelen Feb 26 '17 at 22:29