CODEWITHSUNDEEP
firebase-realtime-databasefirebase-securityfirebase-tools
Anthony Bobenrieth
Anthony Bobenrieth

Reputation: 2893

Firebase realtime database emulator ignoring rules when access_token is set in REST query?

Every queries (at least from the REST API) seems handled like admin query when access_token is set (even with a dummy value), ignoring any rule:

{
  "rules": {
    ".write": false,
    ".read": false
  }
}

i  database: Change detected, updating rules for my-project-default-rtdb...
 +  database: Rules updated.

POST http://localhost:9000/test.json?ns=my-project-default-rtdb=>401 Unauthorized

POST http://localhost:9000/test.json?ns=my-project-default-rtdb&access_token=foo=>200 OK

Is there a settings to enable proper auth support for the Realtime Database emulator?

Upvotes: 0

Views: 290

Answers (1)

Frank van Puffelen
Frank van Puffelen

Reputation: 599706

If you authenticate a rest to the REST API to the production Realtime Database with an access_token, the user is a collaborator on the Firebase project (or it's a service account) and has full access to the database. This type of access does not have to abide by the security rules of the database, similar to how such a collaborator can access all data in the Firebase console. From the documentation:

Google OAuth2 access tokens - Typically, the ability to read from and write to the Realtime Database is governed by Realtime Database Rules. But, you can access your data from a server and grant that server full read and write access to your data with a Google OAuth2 access token generated from a service account.

It sounds like the emulator may not be actually validating the token, but the logic seems the same: using access_token grants access to the entire database, bypassing the security rules.

This also explains why you don't see the user in Firebase Authentication: this type of access does not use Firebase Authentication at all, and is intended for use with collaborators on the project and service accounts.

If you want to access the database as a regular user, authenticate with an ID token in the auth parameter instead.

Upvotes: 1

Related Questions