Reputation: 993
Firestore security rules request.auth is always null
I am unsuccessfully trying to tighten Firestore security with custom claims.
versions:
- Firebase: ^9.6.9
- Node: 16.14.0
- Next: 11.1.0
I have verified that my custom claims are set as they work as expected for certain collections/requests, specifically ones coming from NextJs Server Side Rendered functions.
I have tried:
- Refactoring every service to Firebase V9 instead of using compat.
- Changing the firestore rules in production
- setting up emulators (Note* I'm not using auth emulator)
- adding debug() to security rules
- signing out and back in again
request.auth.token(which is what the debug shows on other reqs)- as well as
request.resource.auth.tokenas per These Docs (incorrect usage)
From the security rules debug - request.auth is null
Update:
I see from the rules usage on the firebase console that the rules were treated as errors and not denies.
I have found strange behavior.
I am successfully able to use custom claims for any collection other than 'blog'.
Successful rule matching tags:
I'm starting to think it has something to do with NextJs Server Side Rendering using getServerSideProps()
My code to retrieve blog entries:
export async function getServerSideProps(context) {
const posts: BlogPost[] | any = await GetBlogPosts();
return {
props: {posts}, // will be passed to the page component as props
};
}
interface extendedBlogPosts extends BlogPost {
['key']: string;
id: string;
}
interface BlogPageProps {
posts: extendedBlogPosts[];
userProps: {user: UserInfo; userData: UserData};
}
Upvotes: 2
Views: 1658
Answers (2)
Reputation: 598623
It sounds like the code in getServerSideProps runs in a trusted environment and accesses Firestore using an Admin SDK. If that is the case then the behavior you are seeing is expected, as the Admin SDKs access the database with elevated/administrative privileges and not as a specific user, and bypass all security rules.
Even if you're not using the Admin SDK, if that code runs in the server using the regular JavaScript SDK (or the one for Node.js, but not for administrative usage), your code is executing in a different environment than where the user signed in. So unless you've signed the user into the server-side code too, it will run without a signed in user, and thus the request.auth variable in your rules will be null.
Upvotes: 3
Reputation: 598623
The current user information is stored in request.auth, not in request.resource.auth as you are using in your first and last screenshots.
Upvotes: 0
Related Questions
- Error with Firestore security rules: FirebaseError: Missing or insufficient permissions
- Firebase Security Rule fails even though the request would be correct
- How to set Firestore security rules? resource.data: Null value error
- Firebase Firestore security rules seem not applied at all
- Firestore rules request.auth always null
- Firestore security rules get function error
- Firestore Rules get is always null or errors out
- Firestore Security Rules Being Rejected
- Firestore Security Rule null value error for create
- firestore security rules at request.auth.uid == id