Getting Permission Denied for read and write

1
votes

I got my app working with read and write with wide-open permissions and now I'm locking it down. My app won't read or write though. I get permission denied errors despite the Firebase rules simulator saying that my rules are ok for a Facebook authenticated user whose UID I got from a successful firebase signInWithProvider. What am I missing?

{
  "rules": {
    "items": {
      "$uid": {
        // user must match the authenticated user
        ".read": "auth.uid == $uid",
        ".write": "auth.uid == $uid"
      }
    }
  }
}

This is my data structure:

my-firebase-app
    -items: {
        -<uid123> : [
            {label:'apple'},
            {label:'banana'}
        ]
        -<uid456> : [
            {label:'pear'},
            {label:'cherry'}
        ]
    }
  • I sign into firebase after facebook auth by doing, firestack.auth.signInWithProvider(provider, facebookAccessToken, ''), which gives me my user object including uid
  • I push to /items/uid123 and get an item id, 333
  • I set the item {label:'apple'} for the new ID (333) at /items/uid123/333
  • I subscribe to the collection of items at /items/uid123 by doing this with the web sdk: itemsRef.child(uid).on('value', (snapshot) => .....

My set call looks like,

const newPostRef = itemsRef.child(uid).push(); newPostRef.set(itemWithID)

set promise gets rejected with permission denied error.

All the things above work fine if my .read and .write are simply set to true which leads me to think my syntax or structure is just off in the rules def. Would love some input.

1
firebasefirebase-realtime-databasefirebase-security
Please share the minimal code that triggers the problem.Frank van Puffelen
Thank you @FrankvanPuffelen, I've updated my question with more detailABCD.ca
I still don't understand which code triggers the problem. Is it the on() that triggers the permission denied? Also note that we have no way to see how the auth flows here. Instead of a bullet list of how you think it executes, share a single snippet that (when run) triggers the error. It may help if you try to reproduce the problem in a jsbin (although that would mean having to reproduce without firestack).Frank van Puffelen
Thanks, this is react native so it won't work in a jsbin. I'm using react-native-firestack for auth, which succeeds – I get my user object back and contains a uid field whose value is what I'm using in place of uid456 above. I'm using the firestack web sdk for the other methods. My on doesn't throw an error, just doesn't fire. My set call (added above) does trigger the error though – again, only when my rules are not wide open and set to true. Doesn't seem likely that it's my JS since it works without db rule constraints? Does my rules def look correct relative to the db structure?ABCD.ca

1 Answers

1
votes

There is nothing wrong with the security rules, and in theory, both the set and the query operations look fine.

In practice however, you are making a grave mistake. As you revealed in the comments, you are trying to use both the Web SDK and the react-native-firestack library at the same time!

The authentication state is not shared between the two, thus the on('value') query is completely unauthenticated. If you added the third parameter to on (the cancel callback), you would see the permission denied error.

You must eliminate the web SDK completely, and use the realtime database via firestack too.