Can custom auth properties be implemented and used with security security rules in Firebase 3?

1
votes

The legacy Firebase documentation indicates that you can insert properties into the auth object that is used in database security rules. Indeed I had this approach working quite nicely in my app before I upgraded to version 3.

"Any values passed into createToken() are appended onto the auth variable for use in your Security and Firebase Rules."

The new Firebase auth service still allows for the use of custom auth tokens, and the new rules documentation states:

"Developers creating their own custom authentication tokens can optionally add additional claims to these tokens. These additional claims will become present on the auth variable in your rules."

...and yet this isn't working in security rules. To debug, in version 3 there doesn't seem to be a way to access the auth object via the firebase API. E.g. getAuth() method seems to be missing, and the auth.getCurrentUser() method doesn't return any of the custom claims I added to the user, so I'm unclear if they exist in the auth object. The documentation here states that:

"You can also optionally specify additional claims to be included in the custom token. These claims will be available in the auth / request.auth objects in your Security Rules."

When running the app, I get access denied errors for the currently authenticated user for any read / write attempts at the path "/domains/mydomaincom."

However, I'm definitely generating a custom signed JWT token and it's definitely being accepted by the Firebase custom auth method. I'm also definitely getting the rule to access the correct path (e.g. all data under "/domains/mydomaincom") when I paste the custom-auth-server-returned JWT token payload into the Firebase rules simulator.

When I look at the user via getCurrentUser() I have no visibility into the firebase auth object as it might present itself to the rules engine (e.g. none of my custom claims appear to be included in the currentUser object) so I really don't understand how to debug further.

I'm specifically looking for tips on what other debugging methods are available on the Firebase rules for custom auth, and/or whether or not others can confirm that they have succeeded in getting custom auth properties to work with rules in Firebase 3.

Here are the (security-obscured) contents of the custom JWT as decoded client side from server side generated token.

{
  "iss": "<client_email>",
  "sub": "<client_email>",
  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
  "exp": 1463955043,
  "iat": 1463951442,
  "provider": "gas",
  "domain": "mydomaincom",
  "email": "[email protected]",
  "uid": "<FB UID HERE>",
  "userGoogToken": "<LONG TOKEN HERE>",
  "adminGoogToken": "<LONG TOKEN HERE>"
}

Here is the rules file:

{
  "rules": {
    "domains": {
      "$domain": {
        ".read": "$domain == auth.domain",
        ".write": "$domain == auth.domain"
      }
    }
  }
}
1
firebasefirebase-securityfirebase-authentication

1 Answers

2
votes

As per the docs you pointed to the additional claims that you could use in the auth rules need to be specified in the claims attribute as a map of additional claims. Try this:

{
  "iss": "<client_email>",
  "sub": "<client_email>",
  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
  "exp": 1463955043,
  "iat": 1463951442,
  "provider": "gas",
  "email": "[email protected]",
  "uid": "<FB UID HERE>",
  "userGoogToken": "<LONG TOKEN HERE>",
  "adminGoogToken": "<LONG TOKEN HERE>",
  "claims": {
    "domain": "mydomaincom"
  }
}