I am developing an iOS application using Firebase (newest) and I am having problems with the expression auth.provider in security rules when a user authenticates with email and password. I expect the expression auth.provider return a password , but instead it looks like anonymous .
In the Firebase console, I enabled Email / Password and Google as providers and set the following security rules:
{ "rules": { "users": { "$uid": { // the user is allowed to read ".read": "auth.uid === $uid", // the non-anonymous user is allowed to write ".write": "auth.uid === $uid && auth.provider !== 'anonymous'" // more here, omitted for brevity } } } }
In my application, when logging in as an XYZ user with email and password, I cannot set the value under / users / XYZ node. I get a "permission denied" error. This is not the case when users sign in with the Google credentials where it works as expected.
It seems that the culprit is the condition auth.provider !== 'anonymous' . To enter the email / password system, I expect the provider to be equal to password ; instead, it is set to anonymous . The Firebase documentation lists the "password" as a possible value for auth.provider: https://firebase.google.com/docs/reference/security/database/#auth
This issue has a greater scatter when the new anonymous authentication feature is enabled (see https://firebase.google.com/docs/auth/ios/anonymous-auth ). As far as I understand, the use of auth.provider in security rules will allow us to distinguish between the "anonymous" user and the user "password".
Am I looking at a mistake, or am I making a beginner mistake somewhere in my reasoning?
For reference, here are the versions of the SDK that I am using (excerpt from CocoaPods output):
Using Firebase (3.2.1) Using FirebaseAuth (3.0.2) Using FirebaseDatabase (3.0.1)