1

I found this question: Firebase Permission Denied which mentions using this JSON code:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

It only allows access to Read or Write by authenticated users. This would work perfectly for me.

The only issue is that this answer is outdated. They dont use JSON anymore as far as I know.

Currently my rules look like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

How can I allow only Read and Write access to users with the "API Key" which I have provided and loaded in my app like in the old question?

Edit, I now know that Firebase Realtime Database uses JSON Rules and Firebase Firestore uses the actual Firebase Security Rules Language.

So after I realized this, I set all my rules to auth != null.

In realtime database rules:

{
  "rules": {
    "users": {
        ".read": "auth != null",
        ".write": "auth != null"
    }
  }
}

And also Cloud Storage rules just in case:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

Yet after all of this... Im still getting these errors:enter image description here

I dont get what Im doing wrong, Im directly sending in the API key correctly, I logged it just to test it, all my references are correct...

I DONT GET IT....

EDIT: Code

const firebase = require('firebase');
var config = {
    apiKey: "(Key removed... for obvious reasons)",
    authDomain: "discord-trust.firebaseapp.com",
    databaseURL: "https://discord-trust.firebaseio.com",
    storageBucket: "discord-trust.appspot.com"
};
firebase.initializeApp(config);

... Lots of code between these two ...

case `testWriteReputation`: {
                    if (msg.author.bot) return;
                    if (msg.author.id === bot.user.id) return;
                    firebase.database().ref(`BasicUserData/${msg.author.id}`).set({
                        lastLoggedUsername: msg.author.tag,
                        lastLoggedAvatar: msg.author.avatar,
                        lastLoggedDiscriminator: msg.author.discriminator,
                        userAccountCreated: msg.author.createdAt,
                        userIdentifier: msg.author.id
                    });
                    break;
                }

Entire javascript file can be found here, again, with the api key removed: https://hatebin.com/egchvudbew

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Mister SirCode
  • 1,575
  • 14
  • 31

1 Answers1

1

As explained in the doc, if you want to use the auth variable in your Realtime Database Security rules (allowing you to control data access on a per-user basis), you need to use Firebase Authentication.

Once a user authenticates, the auth variable in your Realtime Database Rules rules will be populated with the user's information. This information includes their unique identifier (uid) as well as linked account data, such as a Facebook id or an email address, and other info.

Have a look at this doc for more info on how to start with Authentication.


Note that the Realtime Database and Firestore are two totally different Firebase services. They don't share the same security rules syntax.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • I have firebase authentication for a planned website later on... Though.. How do I use it with a Node.JS app thats only sending and recieving small bits of data. Last time I did this, it didnt require authentication. it only required the API key... Whats different now?? – Mister SirCode Jul 26 '20 at 08:23
  • Just in case its needed, heres my entire javascript file unredacted besides the API key: https://hatebin.com/egchvudbew – Mister SirCode Jul 26 '20 at 08:26
  • Let me be more specific. Is there a way to ONLY allow Read and Write from the API Key? So I dont have to use Firebase Auth? – Mister SirCode Jul 26 '20 at 08:28
  • 1
    It depends which SDK you are using. If your Node.js app uses the Admin SDK you will bypass all security rules. If you are using a client SDK, you need to implement the authentication if you want to use the `auth` variable in security rules. It is difficult to answer without all the exact details of your architecture. You should thoroughly study the documentation. – Renaud Tarnec Jul 26 '20 at 08:31
  • Admin SDK is paid. I tried that earlier and it told me I had to do a free trial and then pay for a service. This is my only option. But If I have to use the `auth` variable, can you show me how I can implement it into javascript / node.js – Mister SirCode Jul 26 '20 at 08:33
  • Note that the API key has nothing to do with database(s) security rules. "The apiKey in this configuration snippet just identifies your Firebase project on the Google servers. " see https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public/37484053#37484053 – Renaud Tarnec Jul 26 '20 at 08:33
  • So then how do I use Firebase Auth with Node.js and Javascript, Im only finding information on "sign in pages" and things – Mister SirCode Jul 26 '20 at 08:34
  • "But If I have to use the auth variable, can you show me how I can implement it into javascript / node.js " -> please go through the documentation https://firebase.google.com/docs/auth/web/start – Renaud Tarnec Jul 26 '20 at 08:34
  • If you want to access Firebase services from a backend, see https://firebase.google.com/docs/auth/where-to-start#adminsdk – Renaud Tarnec Jul 26 '20 at 08:35
  • Admin sdk is a trial... Its a paid option. – Mister SirCode Jul 26 '20 at 08:55
  • "Its a paid option" What do you exactly mean? There is always a free tier for Firebase services. – Renaud Tarnec Jul 26 '20 at 13:00
  • Nevermind, I just kept being sent to the wrong page. it was asking for a trial, anyways, I got it working using both Auth, Admin and Web together in my Node.js – Mister SirCode Jul 26 '20 at 13:22