Murad Dweikat
Murad Dweikat

Reputation: 1

Apply real-time database rules on Firebase admin sdk

I create API that used firebase client sdk to authorize user by real-time database rules, but the api return "PERMISSION_DENIED" when i used generated token by firebase app.

this is short code for my api:

// GET {{url}}/users

import * as admin from 'firebase-admin';
import * as firebase from 'firebase';

// admin sdk to verify generated token.
const userAuth = await admin.auth().verifyIdToken(accessToken); // return user object, no problem with that.
const user = await firebase.database().ref(`users/${userAuth.uid}/`).once('value'); // this causes "PERMISSION_DENIED" when fetch data from database.

this sample of my db rules:

{
 "rules": {
  "users": {
    ".read": "auth !== null"
  },
 },
}

I used firebase client sdk to apply db rule on it, and i don't want to used admin sdk because it have full admin privileges. So how can i solved this problem ?

Upvotes: 0

Views: 340

Answers (3)

Cong Nguyen
Cong Nguyen

Reputation: 3455

admin.auth().verifyIdToken just check if token validate, It does not guarantee endorsement for the next functions. So you need to use firebase admin sdk instead of client api.

await admin.auth().verifyIdToken(accessToken).then(() => {
  //You code here
  admin.database().ref(`users/${userAuth.uid}/`).once('value');
}).catch(err => {
  //Token invalid
})

Upvotes: 0

Abdelrahman
Abdelrahman

Reputation: 11

The main issue is you need the admin sdk to verify the sent token, then you need to initialiase the admin sdk with databaseAuthVariableOverride based on decoded token!

Upvotes: 1

Frank van Puffelen
Frank van Puffelen

Reputation: 600061

If you want the admin SDK to access the Realtime Database with the permission of userAuth, you'll want to set databaseAuthVariableOverride when initializing the FirebaseApp. For full details and code samples, see authenticate with limited privileges

Upvotes: 0

Related Questions