I am modifying the FriendlyPix Firebase sample app so that only authenticated and authorized user can read data under the node. Following is the Database rule for my real-time DB
"posts": {
// ".read": true, COMMENTED OUT
"$postId": {
".read": "auth.uid === data.child('author').child('uid').val()",
".write": "!data.exists() || data.exists() && auth.uid === data.child('author').child('uid').val()",
//more code
The issue is that now a logged-in user can't read any posts (not even the ones he posted). I am using Firebase UI and Google login. What am I doing wrong?
Without the line you commented out, nobody can read from /posts. To be able to query /posts. you must be able to read from it.
This a common recurring roadblock for developers new to Firebase: rules cannot be used to filter data. I recommend you read up on that in the Firebase documentation and in the many questions on the topic.
Firebase queries are all or nothing. If you are listening to the "/posts" node of your Firebase database, a user will only get ANY data if the are authorized to see ALL of the data under that node. Your rules do allow for an author to read their own posts, but not any others. This means that the entire query will result in an authentication error.
Anytime auth is not null, it means the user is authenticated. As any authenticated user should be able to read a post, just putting read to "auth != null" will suffice. Note that this only allows logged in users to read posts, not to edit them.
Related
My current Android Application makes use of the Firebase Realtime Database.
I am struggling with the security Rules as I wish to allow only a Single User to be able to Write data while allowing any authenticated user to read data.
I have set these rules but am unsure if they are secure enough...
{
"rules": {
".read": "auth != null",
".write": "auth.uid === 'xxxxxxxxxxxxxxxxxxxxxxx'"
}
}
Where 'xxxxxxxxxxxxxxxxxxxxxxx' is the specified user I wish to allow to write data.
Is a users uid a constant value?
What does the "Authenticate" option manage when clicking on the Simulate button when testing out new rules?
Once a user's UID is generated, it will never change. So checking the UID in the security rules is indeed a common way to ensure only that specific user has a certain permission. I do this on almost every project when getting started for the initial (admin-type) users.
How do I check if the user exist. I signed up a user through the Firebase SDK. I deleted the user at the Firebase console, and the user is still able to log in using the credentials. Its strange because after deleted in the console u can create a new user with the deleted email. While the user can still log in.
So I want to be able to check firebase through the SDK to find out if user exists so i can prevent or gain access through the app
pod 'Firebase/Auth'
check out the related doc https://firebase.google.com/docs/auth/ios/start
to be clear, you'll get nil value on the observation if an user with the specified ID is deautorised somehow. Something like reference -> users -> auth.uid if I remember all the stuff properly
auth.uid is FIRAuth.auth.currentUser.uid or whatever user you need to track. You have to share those uids somehow, I don't remember the firebase to have a built way to do that. However things could change since I've used it for the last time
What would be the easiest way to have a contact form implemented into an Xcode ios app, where the user inputs their email, name and some hidden variables from within the program?
I'm thinking a firebase service will work well, as I don't want to use the built-in email form.
The contact form also needs to know if the form was submitted successfully, such as if the internet was out, or the server/service couldn't be reached. Any help or useful links would be greatly appreciated.
Firebase Authentication is great, it allows you to sign up/sign in users, so you can store them safely there.
Auth.auth().createUser / Auth.auth().signIn
The first method will create an auth user and returns you an uid key for that user, so you can use their Database to store anything related to that user using that uid. The second method will login an user and returns the current user logged in uid, so you can manipulate your data. You can make sure they worked by using the completion and checking if error is == nil.
I highly recommend you to use Auth to authenticate them, otherwise you would have to store their emails and passwords on your Database, and you would have to encrypt them.
Check their documentation here: https://firebase.google.com/docs/auth/ios/start
I have a question about Firebase Auth.
I'm working on my app and, even if I downloaded Firebase Auth Protocol using Pods, I realized that I really don't need them.
The aim of my app is to show some random quote about users but I don't need to Auth them 'cause I don't want and I don't need to implement an Auth system.
In few words: if you're using my app, you can submit a random quote anonymously.
How do I have to set the Authentication from Firebase Dashboard in order to allow ONLY the users who use my app to do that? How can I prevent people not to submit info if they're not using an iOS device?
You could have the user sign in anonymously and have a rule in Firebase that you have to be signed in to post quotes. If you also have to be signed in to read the quotes the rules would look like this.
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
Doing this through anonymous authentication is a good first step, but the rules in Casper's answer are quite easy to bypass. If you don't have a better authorization schema for your users, I recommend implementing the newly introduced Firebase App Check to ensure requests are only allowed from apps that are registered in your Firebase project.
as I started to work with Twitterizer in order to publish on someone's wall I am in confusing time.
There is a page, my case, DefaultTwitter.aspx where is link to authenticate on twitter with token provided. Goes on Twitter and comes back to CallbackTwitter.aspx with outh_token and secret. And so the user is identified. On twitterizer example says:
Step 5 - Store the results
You should now store the access token and the user details. Keep in mind that the
only way an access token will become invalid is if the user revokes access by logging
into Twitter. Otherwise, those values will grant you access to that user's data
forever.
My questions are: - should I store any data in SQL datatable and what exactly(however I hope that is not the case to do so)
somebody said that I should save in a cookie(I thought in session); however then if another user comes then how should I create a button to logout or something like that?
-how will user revoke application access if he would like so?
A live example will be much appreciated as I could not found any on internet how exactly twitter api works.
When your application finishes getting authorization to access the user's data, the result is the access token (represented by 2 values, a key and a secret). Those values are, in effect, the username/password you can use in requests to the API on behalf of that user.* Save those values in your SQL database. You'll also be given the user id and screen name. It's probably a good idea to keep those handy, too.
The user can revoke access to an application by going to http://twitter.com/settings/applications, finding the application and clicking the revoke access button next to it. Your application cannot revoke access for the user.
You asked for an example, but you're citing the example application. Just look at the source code in that sample.
* - That's a simplification for explanation sake. Please don't crucify me, OAuth experts.