1

I have developed a single crud project(Login screen and crud operation screen HTML) and hosted on firebase hosting. where User signing with email and password, I am using firebase signing with email and password and its working as expected.

But now issue is I want to secure backend with auth but its not passing auth in setDoc() deleteDoc() etc, My requirement is without auth. no one should do any operation on database.

import { doc, setDoc } from "firebase/firestore"; 
await setDoc(doc(db, "cities", "LA"), {
  name: "Los Angeles",
  state: "CA",
  country: "USA"
});

below rules are working but its not secured for production env. :

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true
    }
  }
}

If set rules like below it give me insufficient permission error. I don't know how to pass UID in setDoc() or any operation.

allow read, write: if request.auth != null

Update : If i put below code before setDoc() below code is not executing because currentUser has user data.

function addCity(){

    if (!firebase.auth().currentUser) {
        // this code not executing because user is signed
        alert("Login required");
        window.href = "login.html";
        return;
    }
    // i can print UID and it is showing means user is logged.
    await setDoc(doc(db, "cities", "LA"), {
         name: "Los Angeles",
         state: "CA",
         country: "USA"
    });
}
kamlesh parmar
  • 133
  • 10
  • If the user is signed in to Firebase Authentication, their credentials are automatically passed with any calls you make to the Firestore SDK and passed along to the `request.auth` variable in security rules automatically too. There's nothing you need to do for this. So if `request.auth` is `null`, it is most likely because the user isn't signed in by the time your write operation runs. Consider putting an `if (getAuth().currentUser != null) {` around that call to guard against this case. – Frank van Puffelen Jan 03 '23 at 14:46
  • @FrankvanPuffelen I updated post where i check if user logged in. i can print UID there but its not passing with setDoc() to firebase. – kamlesh parmar Jan 03 '23 at 15:30
  • Hmm... I don't immediately see what could still go wrong with that check in place. I hope somebody else spots the problem. – Frank van Puffelen Jan 03 '23 at 17:20
  • @FrankvanPuffelen It may occur due to I am using this example for login : ~~~https://github.com/firebase/quickstart-js/blob/master/auth/email-password.html and for Firestore I am importing from ~~~ import { getFirestore,writeBatch, collection, doc, setDoc, getDocs, getDoc, query, where } from "https://www.gstatic.com/firebasejs/9.13.0/firebase-firestore.js"; ~~~ – kamlesh parmar Jan 04 '23 at 04:33

2 Answers2

1

This is in detail covered in the Firebase documentation on Security & Rules, which I would recommend you to check out.You can secure your data with Security Rules,Firebase Security Rules are evaluated and based on that the rules language it is validated whether the current user can access your data.
Security Rules give you access to a set of server variables to check your rules against. The most commonly used one is the auth variable which lets you check against the currently authenticated user. You can also create wildcard variables with the $, which acts as a route parameter creating.
{ "rules": { "users": { // users can read and write their own data, but no one else. "$uid": { ".read": "auth.uid == $uid", ".write": "auth.uid == $uid" } } } }

You can also check the feature called Firebase App Check, it will let you limit access to your Realtime Database to only those coming from iOS, Android and Web apps that are registered in your Firebase project. You can combine this with the user authentication based security described above, so that you have another shield. Also check these similar examples below:

Vaidehi Jamankar
  • 1,232
  • 1
  • 2
  • 10
  • I am using Firebase Firestore, I dont want to implement app check because its simple crud project with auth. I want to allow only logged user to read/write in entire DB. – kamlesh parmar Jan 03 '23 at 11:32
  • Check out these links, might be helpful with similar examples: https://ibjects.medium.com/reactjs-crud-application-using-firebase-firestore-database-authentication-and-hosting-9e464af5e181 https://stackoverflow.com/questions/63671448/how-to-configure-the-rules-of-a-firebase-project-to-be-safe https://stackoverflow.com/questions/61557693/firestore-security-rules-for-crud-operations-react https://rajatamil.medium.com/in-this-firebase-crud-javascript-web-tutorial-you-will-be-learning-how-to-do-create-update-and-c3ca4f4da15d – Vaidehi Jamankar Jan 04 '23 at 09:59
0

Finally, I found solution. I was using different version library of firebase. like I was using web v8 library for login and modular lib for database access. I just moved all firebase SDK to same version and modular.

kamlesh parmar
  • 133
  • 10