Restrict access to Firebase-Database with auth.uid not working

Question

I want to restrict access to my Firebase Database, so that only the users I authorize can write to it. But the solution almost everywhere proposed doesn't seem to work for me.

I always get an 401 (unathorized) Error in my Console.

I tried two ways of checking wheter the right user is logged in or not, but none of them worked for me.:

1. uid hard-coded in rules:

{
"rules": {
  ".read": true,
  ".write": "auth.uid === 'UID'")",
    }
}

2. uid in database

{
"rules": {
  ".read": true,
  ".write": "root.child('users').hasChild(auth.uid)",
    }
}

In both ways I used the uid provided in the Firebase-Authentication overview. I use Google as Signin provider.

ʍѳђઽ૯ท · Accepted Answer · 2018-09-22T16:23:14.133

4

From the documentation:

Here's an example of a rule that grants write access for authenticated users to /users/<uid>/, where <uid> is the ID of the user obtained through Firebase Authentication.

Edit:

For a specific path and current obtained user through Firebase Authentication, this should help:

{
  "rules": {
    "YourSpecificPath": {

     "$uid": { // where <uid> is the ID of the user obtained through Firebase Authentication
        ".write": "$uid === auth.uid"    
        ".read": true,

      }
    }
  }
}

Or, give the uid directly:

{
  "rules": {
    ".read": true,
    ".write": "auth.uid === 'dJrGShfgfd2'"
  }
}

edited Sep 22 '18 at 16:23

answered Sep 22 '18 at 13:47

ʍѳђઽ૯ท

16,646
7
53
108

Thank you for your answer. I don't want to grant access for one user to a specific path. I want to achieve that one user can write to all Data. And all the others can't. Is that possible? – Karl Hofmann Sep 22 '18 at 14:15
Then do I have to wrap my entire Database into the uid? The User should have something like a Admin-functionality – Karl Hofmann Sep 22 '18 at 16:12
You can give the `uid` directly (as the admin) in this case too. Check frank's answer : https://stackoverflow.com/a/41775839/4409113 updated the answer. – ʍѳђઽ૯ท Sep 22 '18 at 16:22
Okay, I feel really stupid now... I switched to axios and forgot to send the idToken with my Patch-request... and oh wonder: it's unathorized... Thank you anyways :) – Karl Hofmann Sep 23 '18 at 08:49

Karl Hofmann · Answer 2 · 2019-01-19T12:17:33.397

1

All code-samples are correct

All of the Code-Snippets, in the question and in the answer of Mohsen work. I just forgot to send the idToken with my patch-request.

Code to get the idToken:

firebase.auth().currentUser.getIdToken(/* forceRefresh */ true).then(function(idToken) {
  // Send token to your backend via HTTPS
  // ...
}).catch(function(error) {
  // Handle error
});

from: https://firebase.google.com/docs/auth/admin/verify-id-tokens#retrieve_id_tokens_on_clients

Authenticate with an idToken:

https://<DATABASE_NAME>.firebaseio.com/users/ada/name.json?auth=<ID_TOKEN>

from: https://firebase.google.com/docs/database/rest/auth

edited Jan 19 '19 at 12:17

answered Sep 23 '18 at 08:56

Karl Hofmann

178
1
1
15

1

Then I believe you should accept my answer since it was correct. However, you got my upvote for the explanation. This will be helpful for the future searches :) Happy coding. – ʍѳђઽ૯ท Sep 23 '18 at 09:34

Restrict access to Firebase-Database with auth.uid not working

2 Answers2