Geek Answers Handbook

Swift + Firebase Security does not work

I have two users created on my Firebase console, both have a different username and email address.

I want them to be able to store their grade online in a database. This is the structure:

AppName - GameStats - DBW9WQEs2sQn9CuPTE9t7Q1qWSz2 - Score : 0986 - Li75C2BYW7bQnKqMmrqLAZ67HUy4 - Score : 44131

To access this value and keep it synchronized, I use the following:

 let baseRef = FIRDatabase.database().reference(withPath: "GameStats/" + user.uid + "") let scoreRef = scoreRef.child("Score") scoreRef.observe(.value, with: { snapshot in print(snapshot.value) })

I wanted to check if two users can access other information from another user. I changed the line to include another user.uid as follows:

 let baseRef = FIRDatabase.database().reference(withPath: "GameStats/Li75C2BYW7bQnKqMmrqLAZ67HUy4") // Logged in User: DBW9WQEs2sQn9CuPTE9t7Q1qWSz2

and for some reason he outputs this:

 Optional(44131)

If I change the value in the database, it will automatically update the value to the one I put.

This is the wrong user and for some reason he has access to it.

These are my rules:

  { "rules": { ".read": "auth != null", ".write": "auth != null", "GameStats": { "$user_id": { ".write": "auth != null && auth.uid === $user_id && auth.provider === 'password'", ".read": "auth != null && auth.uid === $user_id && auth.provider === 'password'" } } } }

Why does the application allow one user to read other user data and how can I restrict access so that the user can only access data under their user ID?

As @M_G suggested, I pulled .write from the parent and .read . So now my rules are:

  { "rules": { // ".read": "auth != null", // ".write": "auth != null", "GameStats": { "$user_id": { ".write": "auth != null && auth.uid === $user_id && auth.provider === 'password'", ".read": "auth != null && auth.uid === $user_id && auth.provider === 'password'" } } } }

Now I get this output:

 [FirebaseDatabase] setValue: or removeValue: at /GameStats/DBW9WQEs2sQn9CuPTE9t7Q1qWSz2 failed: permission_denied - This is for the correct user too. I get this error if wrong user also.
+7
ios swift firebase firebase-database firebase-security
source share
1 answer

The Firebase document is erroneous (for now). In the Firebase console, open the rule simulator. There is currently no password option, I think its a mistake.

If you do not use multiple authentication or multiple authentication does not matter in your project, do not use the provider according to your rules. Otherwise, you can check this rule for password authentication:

 ".write": "auth != null && auth.uid === $user_id && auth.token.firebase.identities.email !== null"
+3
source share

More articles:


All Articles