Flutter Firestore Authentication

11
votes

I have a Flutter project that's using the cloud_firestore plugin for data access. Once a user authenticates to the application, what do I need to do to set that as the authentication used by the Firestore client? For example, I just have these basic rules enabled:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, update, delete: if request.auth.uid == userId;
      allow create: if request.auth.uid != null;     
    }
    match /users/{userId}/{document=**} {
      allow read, update, delete, create: if request.auth.uid == userId;
    }
    match /ingredients/* {
      allow read, create: if request.auth.uid != null;      
    }
    match /units/* {
      allow read, create: if request.auth.uid != null;      
    }
    match /recipes/* {
      allow read, create, update: if request.auth.uid != null;      
    }
  }
}

As soon as I enabled those rules, every request from my Flutter app started failing. If I test the Firestore rules with the little "simulator" they have, they work as expected, so the authentication does not appear to be getting set correctly from the Flutter app side.

EDIT: Adding some code samples.

I have authentication code that uses Google Auth, so when the user logs in it looks like this:

class Auth implements AuthService {
  final FirebaseAuth _firebaseAuth = FirebaseAuth.instance;

GoogleSignIn _googleSignIn = GoogleSignIn(
    scopes: [
      'email',
      'https://www.googleapis.com/auth/contacts.readonly',
    ],
  );


  Future<String> signInWithGoogle() async {
    final GoogleSignInAccount googleUser = await _googleSignIn.signIn();
    final GoogleSignInAuthentication googleAuth = await googleUser.authentication;

    final AuthCredential credential = GoogleAuthProvider.getCredential(
      accessToken: googleAuth.accessToken,
      idToken: googleAuth.idToken,
    );

    final FirebaseUser user = await _firebaseAuth.signInWithCredential(credential);
    return user.uid;
  }

I've verified that the user is being authenticated properly.

Then, when accessing Firestore, something like:

DocumentSnapshot userSnapshot = await Firestore.instance
          .collection('users')
          .document(userId)
          .collection('shoppingLists')
          .document(listName)
          .get();

I've followed all of the guides to add Firebase and Firestore to my app, and I didn't see anything specific about setting the currently authenticated user as the user that's making the Firestore requests, so I feel like I'm missing something there. Is there something I'm supposed to be doing when making the Firestore queries to pass in the current user?

3
fluttergoogle-cloud-firestorefirebase-security
Did you find a solution for this problem? I'm having the same problem and is crazy how I can't find nowhere an answer, just questions without any solution about this. - André Lúcio
Take a look at this answer ("Just in case..."): stackoverflow.com/questions/52812514/… - Stefan Kühn
Looks all good to me. Check if 'userId' has the intended value when you are accessing the reference in Firestore. There is also a very helpful simulator in the Firestore Rules UI (bottom left) which you can use. It tells you exactly where your rules fail. - Thomas
I have the exact same problem using any rules is causing a permission denied error for me as well. - king_below_my_lord
It's Apr 2020 and there's still no answer for such a basic question.. - dark_ruby

3 Answers

5
votes

The answer is to not user Firestore.instance as this gives you an instance disconnected from your Firebase app;

instead use create you Firebase app providing all the keys, then authenticate against that app, and then create a Firestore instance against that app. There's no way to explicitly pass the user, but the code internally uses some logic to figure out user that's been authenticated against your created app. Here's the code I used:

  Future<void> _authenticate() async {
    FirebaseApp _app = await FirebaseApp.configure(
      name: 'some-name',
      options: FirebaseOptions(
        googleAppID: 'some:id',
        gcmSenderID: 'sender',
        apiKey: 'api-key-goes-here',
        projectID: 'some-id',
      ),
    );
    final _auth = FirebaseAuth.fromApp(_app);
    final _result = await _auth.signInAnonymously();

    setState(() {
      app = _app;
      auth = _auth;
      user = _result.user;
      store = Firestore(app: app); //this is the code that does the magic!
    });
  }

as for the serverside rule configuration - refer to @cloudwalker's answer

0
votes

For me, it wound up being an issue with how I had my firestore rules set up. This is what I have now, and it works well:

service cloud.firestore {
  match /databases/{database}/documents {


    match /users/{userId} {
      allow create: if isAuthenticated();
    }

    match /users/{userId} {
      allow read, update: if isOwner(userId);
    }

    match /users/{userId}/{document=**} {
      allow read, write: if isOwner(userId);
    }

    match /categories/{document=**} {
      allow read: if isAuthenticated();
    }

    match /config/{document=**} {
        allow read: if isAuthenticated();
    }


}


 function isAuthenticated() {
    return request.auth.uid != null;
  }  

  function isOwner(userId) {
    return request.auth.uid == userId;
  }
}
0
votes

The solution is to initialize FirebaseStorage after getting authenticated user

Future<Null> main() async {
  WidgetsFlutterBinding.ensureInitialized();

  AppInfo.app = await Firebase.initializeApp(options: AppInfo.firebaseOptions);

}

It's easier if you have a listener

FirebaseAuth.instance.authStateChanges().listen((authUser) async {

   if (authUser != null && AppInfo.authUser == null) {
        AppInfo.authUser = authUser;
        print("Got Firebase user: " + authUser.uid);
        setState(() {
          if (AppInfo.instance == null) {          
            AppInfo.instance =
                FirebaseStorage(app: AppInfo.app, storageBucket: BUCKETGS);
            AppInfo.instanceTemp =
                FirebaseStorage(app: AppInfo.app, storageBucket: BUCKETTEMP);
          }

          AppInfo.userAuthId = authUser.uid;
          streamsStartVerify();
        });
      } else if (authUser == null && AppInfo.authUser != null) {
        print("sign out!!!");
        AppInfo.authUser = null;
        AppInfo.userAuthId = "";
      }
   });
}