6

I'm trying to allow users to read and write to my Firestore videoFeedback collection from a web app and getting a "Missing or insufficient permissions" error. How do I make sure that my request to Firestore is sent with the correct user authentication (or any authentication at all)?

This is for an Angular app using Firestore and anonymous Firebase authentication. I have already set up an anonymous user. I would like to add a document to my videoFeedback collection from the web app, not the backend. I've already read the official pages on Firestore docs: Authenticate Anonymously with Firebase Get Started with Firebase Authentication on Websites and many more, plus read all SO questions on this topic.

My Firestore object is already set up correctly (I know because I can read/write to the DB if my security rules don't require a non-null request.auth).

Your help is greatly appreciated. 

private db: AngularFirestore;

public initFirebaseApp() {
    firebase.initializeApp(this.firebaseConfig);
}

public anonymousAuth() {
    firebase.auth().signInAnonymously().catch(function(error) {
        console.log("ERROR: " + String(error.errorCode) + 
            " " + String(error.errorMessage))
    });
    console.log("User is authorized");
}

this.initFirebaseApp();
this.anonymousAuth();

let date_created = new Date().toLocaleString();
let feedback = {
    "feedback": "FAKE_FEEDBACK", 
    "rating": -1,
    'created': date_created,
};

firebase.auth().onAuthStateChanged(function(user) {
    if (user) {
        console.log(user.uid)
        this.db.collection('videoFeedback').add(feedback);
     }
}.bind(this));

And my security rules look like this 

service cloud.firestore {
  match /databases/{database}/documents {
    match /videoFeedback/{feedback} {
        allow read, write: if request.auth != null;
    }
  }
}

With this configuration, I get the following output: 

User is authorized
JAZe9dsIMtdyNe2dhndleIcn9nd2
ERROR Error: Uncaught (in promise): FirebaseError: [code=permission-denied]: Missing or insufficient permissions.
FirebaseError: Missing or insufficient permissions.
    at new FirestoreError (index.cjs.js:352)
    at index.cjs.js:7274
    at Y.<anonymous> (index.cjs.js:7219)
...

When I replace my security rule with 

service cloud.firestore {
  match /databases/{database}/documents {
    match /videoFeedback/{feedback} {
        allow read, write;
    }
  }
}

I get the same, minus the permissions error. This makes me think that it's an issue with the way my request is being sent, not with the data I'm sending or with the setup of the Firestore database. 

User is authorized
JAZe9dsIMtdyNe2dhndleIcn9nd2 (or some random string)

What do I need to do to send my request with a non-null request.auth.uid?

choskie
  • 71
  • 1
  • 5
  • @DougStevenson Thanks for noticing! Sorry, that was a mistake. I just edited them to correspond to what I actually have. – choskie Jul 12 '19 at 03:40
  • 2
    There's nothing special you have to do in the query. You just have to make sure that the query comes after the authentication fully completes. I don't know why it's not working in your case though. – Doug Stevenson Jul 12 '19 at 03:40
  • @DougStevenson that's what I thought too! And it's quite confusing because the console can print out `user.uid`, which seems to mean that the user is authenticated. :/ Thanks for taking a look – choskie Jul 12 '19 at 03:44
  • I had a similar error. Turns out it was because I was trying to access subcollections, but the rule is not recursive by default. Adding a recursive wildcard to the rule made it work. See my answer at https://stackoverflow.com/a/63929181/1460448 – xji Sep 16 '20 at 23:25

0 Answers0