Apply real-time database rules on Firebase admin sdk

Question

I create API that used firebase client sdk to authorize user by real-time database rules, but the api return "PERMISSION_DENIED" when i used generated token by firebase app.

this is short code for my api:

// GET {{url}}/users

import * as admin from 'firebase-admin';
import * as firebase from 'firebase';

// admin sdk to verify generated token.
const userAuth = await admin.auth().verifyIdToken(accessToken); // return user object, no problem with that.
const user = await firebase.database().ref(`users/${userAuth.uid}/`).once('value'); // this causes "PERMISSION_DENIED" when fetch data from database.

this sample of my db rules:

{
 "rules": {
  "users": {
    ".read": "auth !== null"
  },
 },
}

I used firebase client sdk to apply db rule on it, and i don't want to used admin sdk because it have full admin privileges. So how can i solved this problem ?

Answer 1

admin.auth().verifyIdToken just check if token validate, It does not guarantee endorsement for the next functions. So you need to use firebase admin sdk instead of client api.

await admin.auth().verifyIdToken(accessToken).then(() => {
  //You code here
  admin.database().ref(`users/${userAuth.uid}/`).once('value');
}).catch(err => {
  //Token invalid
})

Answer 2

The main issue is you need the admin sdk to verify the sent token, then you need to initialiase the admin sdk with databaseAuthVariableOverride based on decoded token!

Answer 3

If you want the admin SDK to access the Realtime Database with the permission of userAuth, you'll want to set databaseAuthVariableOverride when initializing the FirebaseApp. For full details and code samples, see authenticate with limited privileges