How can I let my Firebase Security Rules allow Authenticated Access to my Realtime Databas when I get "PERMISSION DENIED"

0
votes

I found this question: Firebase Permission Denied which mentions using this JSON code:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

It only allows access to Read or Write by authenticated users. This would work perfectly for me.

The only issue is that this answer is outdated. They dont use JSON anymore as far as I know.

Currently my rules look like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

How can I allow only Read and Write access to users with the "API Key" which I have provided and loaded in my app like in the old question?

Edit, I now know that Firebase Realtime Database uses JSON Rules and Firebase Firestore uses the actual Firebase Security Rules Language.

So after I realized this, I set all my rules to auth != null.

In realtime database rules:

{
  "rules": {
    "users": {
        ".read": "auth != null",
        ".write": "auth != null"
    }
  }
}

And also Cloud Storage rules just in case:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

Yet after all of this... Im still getting these errors:enter image description here

I dont get what Im doing wrong, Im directly sending in the API key correctly, I logged it just to test it, all my references are correct...

I DONT GET IT....

EDIT: Code

const firebase = require('firebase');
var config = {
    apiKey: "(Key removed... for obvious reasons)",
    authDomain: "discord-trust.firebaseapp.com",
    databaseURL: "https://discord-trust.firebaseio.com",
    storageBucket: "discord-trust.appspot.com"
};
firebase.initializeApp(config);

... Lots of code between these two ...

case `testWriteReputation`: {
                    if (msg.author.bot) return;
                    if (msg.author.id === bot.user.id) return;
                    firebase.database().ref(`BasicUserData/${msg.author.id}`).set({
                        lastLoggedUsername: msg.author.tag,
                        lastLoggedAvatar: msg.author.avatar,
                        lastLoggedDiscriminator: msg.author.discriminator,
                        userAccountCreated: msg.author.createdAt,
                        userIdentifier: msg.author.id
                    });
                    break;
                }

Entire javascript file can be found here, again, with the api key removed: https://hatebin.com/egchvudbew

1
firebasefirebase-realtime-databasefirebase-authenticationfirebase-security
Could you provide the code that creates this problem?Chris Papantonis
Can you add more details? It is difficult to understand what is your problem. Are you using the RealtimeDB or Firestore? How do you access it?Renaud Tarnec
@ChrisPapantonis Added CodeMister SirCode
@RenaudTarnec Realtime Database. I apologize for being unclearMister SirCode
Do you authenticate your user before calling this code?Renaud Tarnec

1 Answers

1
votes

As explained in the doc, if you want to use the auth variable in your Realtime Database Security rules (allowing you to control data access on a per-user basis), you need to use Firebase Authentication.

Once a user authenticates, the auth variable in your Realtime Database Rules rules will be populated with the user's information. This information includes their unique identifier (uid) as well as linked account data, such as a Facebook id or an email address, and other info.

Have a look at this doc for more info on how to start with Authentication.

Note that the Realtime Database and Firestore are two totally different Firebase services. They don't share the same security rules syntax.