I use auth.uid to identify who owns a record.
eg. { "owner" : "facebook:100200" } is owned by user 100200 who authenticated using Facebook. Note: the uid is preceeded with the Provider name "facebook".
I have a rule that checks that only owners can read their own data.
Problem is, the Rule fails if :
"owner" : "facebook:100200" (has provider name)
It succeeds if :
"owner" : "100200" (no Provider name)
The Rule is :
{ ".read": "data.child('owner').val() == auth.uid" }
Is this correct behaviour ? If so, I should clip out the Provider details (ie."facebook") before I save the owner details. I am wondering if I am using the wrong auth.uid in the first place.
Here is how I get the auth.uid. It comes with the Provider name :
// logged-in
Auth.$onAuth(function(authData) {
console.log("Logged in as", authData.uid); // "facebook:100200"
}
SOLVED When you test using the Firebase Simulator, take note of the JSON in the Custom Auth field. By default, the format is { provider: 'anonymous', uid: '100200' }. ie. uid was set to 100200
For the Rule to pass, I had to change the value in Custom Auth to { uid: 'facebook:100200' }
END
Many Thanks, Beemer
