0

Is is possible to include a payload/parameter when executing a GET request to Firebase Realtime Database, in order to access the payload/parameter in the Firebase Realtime Database rules?

Using React Native with Javascript.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Jonas
  • 67
  • 1
  • 1
  • 6

1 Answers1

1

For a GET/read request to the Realtime Database, the following information is available in your security rules:

  1. The path that is requested, or the query that was executed.
  2. The auth variable indicating the logged in user, including any claims in auth.token.

So if you want to pass information, you will have to put it into one of these. For example, you can make the payload part of the path, or you can store it in the user's profile as a custom claim.

Putting in the path is typically preferred for short-lived information, like a nonce or a shared secret, while a custom claim is more common for some semi-permanent state of the users, such as them being marked as an application administrator.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks for the answer! Regarding the first option, how do I access the variables in the database rules? For instance, if my path is "firebaseurl/auth?={token}?variable={variableValue}, how do i access the value of the variable in the database rules? – Jonas Feb 01 '21 at 16:56
  • There is no way to pass a custom variable to the rules. The only two options are mentioned in my answer. – Frank van Puffelen Feb 01 '21 at 17:08
  • So I should use queries? Sorry, i am not very into rules. Is it possible to pass a custom variable by using queries? – Jonas Feb 01 '21 at 18:20
  • It isn't possible to pass a custom variable into queries. The only information that your rules have is what I've listed in my answer. – Frank van Puffelen Feb 01 '21 at 18:51
  • How is it then possible to check a parameter that the user performing the request sets, up against a value in the database? To ensure secure read / write rules. – Jonas Feb 02 '21 at 14:48
  • For example, a user should only be able to read from another user if their `group_id` is matching, hence it is necessary for the requesting user to pass a parameter with the `group_id` – Jonas Feb 02 '21 at 15:10
  • If you query with something like `ref.orderByChild("group_id").equalTo(123)` you can check for that in the rules. So you should create a data model that allows you to query for the data you want to allow, and then use security rules to only allow that query. – Frank van Puffelen Feb 02 '21 at 15:21
  • I think this is what I am looking for, however the query return `null`. I tried to have my ref as `(users/{user_id})`, and then used the query you mentioned above. Am i missing something here? Is it possible to have my ref `(users/{user_id}/group_id)` and then have the following query: `ref.equalTo(123)` ? – Jonas Feb 03 '21 at 09:59
  • We've moved from the original question (Q: "Is it possible to pass additional information to security rules?" A: "No") to a much more concrete implementation issue. I recommend opening a new question with a reproduction of the code and rules of what you're trying now. – Frank van Puffelen Feb 03 '21 at 14:08
  • Okey thanks, i will do that! Appreciate the help – Jonas Feb 03 '21 at 15:09