Firebase Security Rules Block Writing to Firebase

后端 未结 2 1288
一整个雨季
一整个雨季 2021-01-24 10:53

Note: This question is tagged polymer because the Polymer library is used to generate the Javascript.

This question is about two different

相关标签:
2条回答
  • 2021-01-24 11:36

    @FrankvanPuffelen's answer in Polymer-speak translates into:

    Use the <firebase-collection> element's .add() method to write data to Firebase from the client while under security rule enforcement. It's more efficient from a code standpoint as firebase-collection handles all the necessary auth tokens for you automatically.

    0 讨论(0)
  • 2021-01-24 11:52

    Problem 1

    You're using the Polymer firebase-auth element to authenticate with Firebase.

    <firebase-auth id="firebaseLogin"
                   user="{{user}}"
    ...
    

    Under the hood this calls the Firebase.authAnonymously() method, which authenticates the current session in the Firebase JavaScript SDK.

    You're writing to Firebase using:

    computeFbTargetJson: function(f) {
        return f + '.json';
    }
    

    and

    this.set('$.ajax.url'  , this.fbTargetJson);
    this.set('$.ajax.body' , JSON.stringify({
        jquux: 'jbaz'
       }));
    this.$.ajax.generateRequest();
    

    This is doing an AJAX request to Firebase, which means that you're using Firebase's REST API. But since this is a regular HTTP call, it will not "inherit" then authentication from the Firebase JavaScript client.

    To authenticate your REST request, you will need to pass in an auth parameter as documented in the Firebase documentation. You can get the token from the Firebase reference using ref.getAuth().token.

    Problem 2

    Each element in your Firebase database is accessibly by a unique URL. You can either access it with one of the Firebase SDKs or by directly accessing the REST API that Firebase exposes.

    From what I can gather from the jsbin, you're writing to Firebase using:

    computeFbTargetJson: function(f) {
        return f + '.json';
    }
    

    and

    this.set('$.ajax.url'  , this.fbTargetJson);
    this.set('$.ajax.body' , JSON.stringify({
        jquux: 'jbaz'
       }));
    this.$.ajax.generateRequest();
    

    This is doing an AJAX request to Firebase, which means that you're using Firebase's REST API. The first paragraph of that API documentation explains how Firebase database URLs map to the REST API:

    We can use any Firebase app URL as a REST endpoint. All we need to do is append .json to the end of the URL and send a request from our favorite HTTPS client.

    So in order to access any data in Firebase using the REST API, you append .json to the URL of that data.

    When you're using the Firebase Simulator, the operation is similar to using Firebase's JavaScript SDK. In that case, you should not put the .json suffix at the end of the URL.

    So given a Firebase database at https://mine.firebaseio.com/, say you have a user profile at /users/de01fc8104.

    • You can access that record in the simulator or with a Firebase SDK as https://mine.firebaseio.com/users/de01fc8104
    • To access the record using the REST API, the URL is https://mine.firebaseio.com/users/de01fc8104.json

    Summary

    Both of your problems are caused by the fact that you're using two different ways of accessing Firebase: the JavaScript SDK and the REST API. While these two methods can be used together, you will have to ensure you provide the information that is needed. In general you will have an easier experience if you stick to using one way of accessing Firebase from a single client.

    0 讨论(0)
提交回复
热议问题