Reputation: 1485
I am new to firebase. I have below given code -
var config = {
apiKey: ".....",
authDomain: "....",
databaseURL: ".....",
storageBucket: "...."
};
firebase.initializeApp(config);
function writeData(socialType, userName, name, message) {
database.ref("/" + socialType + "/" + userName + "/").set({
name: name,
message: message
});
}
writeData("fb", "Jhon", "booo1", "message1");
I wonder what should be the security rules for these kind(i mean access with api key, and there is no login. In fact on firebase nodejs library firebase.auth() the auth method doesn't exist). I don't want to allow anonymous access, I want to let access if there is a valid api key.
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
For this security rules I get permission_denied error. Which probably makes sense, because there is no auth since I am not authenticating, but accessing through api key.
NOTE: I don't want to use service account. I want to use api key to access (read/write) data
Upvotes: 0
Views: 1969
Reputation: 503
You have to manually call the signInWithEmail method on each endpoint before you access a firestore collection. Its annoying but no workaround
return await firebase.auth().signInWithEmailAndPassword("###", "###").then(async () => {
const user = await firebase.firestore().collection('user_info').doc('123').get()
return user.data();
})
Upvotes: 0
Reputation: 618
The current issue with your rules is the:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
Since it appears that you don't have a login. If the browser code has the proper api keys you can use the firebase anonymous auth to allow auth !== null to succeed.
Also in the future I would suggest using the !== over the != to improve reliabilty
Upvotes: 1
Reputation: 599976
The API key just identifies your project to the Firebase servers. It does not authenticate your node.js process with Firebase, nor does it grant you permission to access any data in the database.
To authenticate from your node.js process with Firebase, you will have to follow one of the methods outlined in the documentation. All of these require the use of a service account in some way, either to directly access the database or to sign a custom token. This is simply the way Firebase Authentication works for server-side processes and there is no way to avoid it.
Upvotes: 1