Even if the user is logged in, I get an error

Question

I have a problem: I want a logged in user to be able to use my getRealtimeUsers function. But I get the following error: FirebaseError: Missing or insufficient permissions.

Below you will find the code. Some explanations: On the React side, I created a firebase, registered a getRealtimeUsers function there, and tried to use it.

firebase.js file

import firebase from "firebase/app";
import "firebase/firestore";

const firebaseConfig = {
    apiKey: process.env.REACT_APP_FIREBASE_KEY,
    authDomain: process.env.REACT_APP_FIREBASE_DOMAIN,
    projectId: process.env.REACT_APP_FIREBASE_PROJECT_ID,
    storageBucket: process.env.REACT_APP_FIREBASE_STORAGE_BUCKET,
    messagingSenderId: process.env.REACT_APP_FIREBASE_SENDER_ID,
    appId: process.env.REACT_APP_FIREBASE_APP_ID,
    measurementId: process.env.REACT_APP_FIREBASE_MEASUREMENT_ID
};

firebase.initializeApp(firebaseConfig);
export default firebase;

A function that uses the firebase I created:

import firebase from '../../firebase';

export const getRealtimeUsers = () => {

    return async () => {
        const db = firebase.firestore();
        const unsubscribe = db.collection("users")
        return unsubscribe;
    }
}

Testing of the function

import React, { Component } from 'react';

import { connect } from 'react-redux';
import { getRealtimeUsers } from '../redux/actions/chatActions';

import firebase from '../firebase';
let unsubscribe;

class chat extends Component {
    componentDidMount() {
        unsubscribe = this.props.getRealtimeUsers()
            .then(unsubscribe => {
                return unsubscribe;
            }).catch(error => {
                console.log(error);
            });
    }
    componentWillUnmount() {
        return () => {
            unsubscribe.then(f => f()).catch(error => console.log(error));
        }
    }

    render() {

        const ref = firebase.firestore().collection("users");
        return (

                <div>
                    check if works
                </div>
        );
    }
}

const mapStateToProps = (state) => ({
});

export default connect(
    mapStateToProps,
    {
        getRealtimeUsers
    }
);

Here I let the user do the login login.js action

export const loginUser = (userData) => (dispatch) => {
  axios
    .post('/login', userData)
    .then((res) => {
      console.log(res)
      setAuthorizationHeader(res.data.token);
    })
    .catch((err) => {
      console.log(err)
    });
};

The login is done on the nodejs side, which is also where I set it to firebase:

const config =  {
    apiKey: "WqcVU",
    authDomain: "c468.firebaseapp.com",
    projectId: "c468",
    storageBucket: "c468.appspot.com",
    messagingSenderId: "087",
    appId: "1:087:web:c912",
    measurementId: "G-SQX1"
  };
  ;

const firebase = require("firebase");
firebase.initializeApp(config);

// Log user in
exports.login = (req, res) => {
    const user = {
      email: req.body.email,
      password: req.body.password,
    };
    
    firebase
      .auth()
      .signInWithEmailAndPassword(user.email, user.password)
      .then((data) => {
        console.log(JSON.stringify(data));
        return data.user.getIdToken();
      })
      .catch((err) => {
        console.error(err);
      });
  };
app.post('/login', login);

the rules

rules_version = '2';
service cloud.firestore {
    match /databases/{database}/documents {
        match /{document=**} {
            allow read, write: if request.auth != null;
        }
    }
}

I want only a logged in user to use the getRealtimeUsers function, but even if the user is logged in it doesnt work. That's my problem.

I do not know at all how to solve it

Answer 1

in my case, faced same problem with rule's.

please give a try, change your rue and check whether its working or not

Answer 2

Is there a reason why you're not authenticating directly from the client? The thing is you have to pass in some way the authenticated state from the server to the front...

You have signed in with firebase on your server but you did not sign in with firebase on the front end. Or maybe you did in setAuthorizationHeader(res.data.token); but I'd be curious to know how you did that. It would have been interesting to be able to authenticate with nodejs and then send the tokenId which has been generated, that is data.user.getIdToken(), to the client which the client would then pass to firebase.auth().signInWithToken(token) but this is not possible. If you want to know more about it, I invite you to read this issue (a feature request).

The way to solve this problem is to use Admin SDK and create a custom token.

Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.

To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS, Android, web). Once authenticated, this identity will be used when accessing other Firebase services, such as the Firebase Realtime Database and Cloud Storage. Furthermore, the contents of the JWT will be available in the auth object in your Realtime Database Rules and the request.auth object in your Cloud Storage Security Rules.

Here are the steps:

1. First, you will add the SDK to your server:

yarn add firebase-admin --save

and import it

const admin = require("firebase-admin")

2. Go over to your Project settings under the "Service accounts" tab.

and click on "Generate a new private key"

3. a file has been downloaded and saved on your machine. From there, you will either import the file and initialize admin like this:

var serviceAccount = require("/path/to/serviceAccountKey.json");

admin.initializeApp({
  credential: admin.credential.cert(serviceAccount)
});

or better yet, in the console

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/serviceAccountKey.json"

and in your file

const credential = admin.credential.applicationDefault() // this will automatically find your env variable
admin.initializeApp({
    credential
})

Note: don't forget to set the proper permissions to the private key file with chmod (I had to).

4. nodejs

firebase
        .auth()
        .signInWithEmailAndPassword(user.email, user.password)
        .then((data) => {
            admin
            .auth()
            .createCustomToken(data.user.uid)
            .then((customToken) => {
                console.log('customToken', customToken)
                // send token back to client here
                res.send(customToken)
            })
            .catch((error) => {
                console.log('Error creating custom token:', error);
            });
        })
        .catch((err) => {
            console.error(err);
        });

and then on the client:

// get the token and then
firebase.auth().signInWithCustomToken(token)
    .then((userCredential) => {
        // Signed in
        var user = userCredential.user;
    })
    .catch((error) => {
        var errorCode = error.code;
        var errorMessage = error.message;
    });

---

Another solution would be not using firebase on the client at all and use the backend as some sort of proxy between firebase and the client. The client would make a request to the backend which in turn would interrogate firebase.

Answer 3

Your case is really problematic, the only way to do security in rules is to access your correntUser or auth. Because you connect through the nodejs, you only return json object and there will be no access to these objects.

For you to have access to these objects what you need to do is connect once more, in react itself, with the same firebase and that's how you enjoy all the worlds that firebase has to offer.

When you log in again, the user does not need to know about it, since when you log in you will reset the password, and choose a random password, it will solve all your problems.

I think this is the most likely solution, but it is not for production

Please update me.