Reputation: 1
I create API that used firebase client sdk to authorize user by real-time database rules, but the api return "PERMISSION_DENIED" when i used generated token by firebase app.
this is short code for my api:
// GET {{url}}/users
import * as admin from 'firebase-admin';
import * as firebase from 'firebase';
// admin sdk to verify generated token.
const userAuth = await admin.auth().verifyIdToken(accessToken); // return user object, no problem with that.
const user = await firebase.database().ref(`users/${userAuth.uid}/`).once('value'); // this causes "PERMISSION_DENIED" when fetch data from database.
this sample of my db rules:
{
"rules": {
"users": {
".read": "auth !== null"
},
},
}
I used firebase client sdk to apply db rule on it, and i don't want to used admin sdk because it have full admin privileges. So how can i solved this problem ?
Upvotes: 0
Views: 340
Reputation: 3455
admin.auth().verifyIdToken just check if token validate, It does not guarantee endorsement for the next functions. So you need to use firebase admin sdk instead of client api.
await admin.auth().verifyIdToken(accessToken).then(() => {
//You code here
admin.database().ref(`users/${userAuth.uid}/`).once('value');
}).catch(err => {
//Token invalid
})
Upvotes: 0
Reputation: 11
The main issue is you need the admin sdk to verify the sent token, then you need to initialiase the admin sdk with databaseAuthVariableOverride
based on decoded token!
Upvotes: 1
Reputation: 600061
If you want the admin SDK to access the Realtime Database with the permission of userAuth
, you'll want to set databaseAuthVariableOverride
when initializing the FirebaseApp
. For full details and code samples, see authenticate with limited privileges
Upvotes: 0