Firebase Auth: Value of auth.provider in the security rules when authenticating with email/password?

[Alexandros Skaliotis]

Hello,

I have recently started using Firebase on an iOS app and have a question regarding Firebase Auth and security rules. In the following security rule snippet:

 ".write": "auth.provider !== 'anonymous'"

What does auth.provider resolve to when authenticating using an e-mail address and a password? Is it 'password'?

If so, I would expect the above expression to evaluate to:

".write": true

Is this correct?

Thanks,

Alex

[Thomas Césaré-herriau]

Hi Alexandros,

The email/password provider is indeed "password".

[Alexandros Skaliotis]

Hi Thomas,

Thanks for the answer and sorry for the late reply.

I am afraid that the provider does not end up being "password" as suggested by my stack overflow question. It looks like it is wrongly set to "anonymous" when authenticating with e-mail and password.

http://stackoverflow.com/q/37624131/6421304

Thanks,

Alex

[Jacob Wenger]

Hey Alexandros,

Sorry for not getting back to you earlier. This definitely seems like something is going wrong at some point in the chain here. I've got some questions for you to see if we can get to the bottom of this:

• Just to confirm, you are using the new 3.x.x Firebase SDKs, right?
• After signing in a user, get their ID token by doing:
  
  FIRUser *currentUser = [FIRAuth auth].currentUser;
  [currentUser getTokenForcingRefresh:NO
                           completion:^(NSString *_Nullable idToken,
                                        NSError *_Nullable error) {
            if (error) {
              // Inspect and handle error here.
              return;
            }
  
            // Paste idToken to jwt.io
  }];
  
  
Then, take idToken and paste it into https://jwt.io. Can you send me the output of the payload portion that jwt.io reports?

• Are you doing any account linking between your email / password and Google users?
• Can you share the exact sign-in code you are using?

Answer those questions and we will get to the bottom of this issue!

Cheers,
Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/cbcdb2cc-0456-48ad-af7d-ebfb81eecf64%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Alexandros Skaliotis]

Hi Jacob,

Thanks for looking into this.

My app is in Swift and uses the following dependencies (via CocoaPods):

- Firebase (3.2.1)

- FirebaseAuth (3.0.2)

- FirebaseDatabase (3.0.1)

- FirebaseUI/Auth (0.4.0)

The sign-in code is super-simple since I'm using FirebaseUI.

let authUI = FIRAuthUI.authUI()

let googleAuthUI = FIRGoogleAuthUI(clientID: ClientIds.GoogleAuth)

authUI?.signInProviders = [ googleAuthUI! ]
// then present authUI?.authViewController()

I've seen the issue with other devs not using FirebaseUI, so I tend to think it's not related to this, but can't be 100% sure.

Here is the payload that I get using the code snippet you provided.

{

  "iss": "https://securetoken.google.com/ad-hero-8c81e",

  "name": "toto",

  "aud": "ad-hero-8c81e",

  "auth_time": 1466711896,

  "user_id": "v8EZERqPOFgU1LIMVWDUWhqPFug1",

  "sub": "v8EZERqPOFgU1LIMVWDUWhqPFug1",

  "iat": 1466711896,

  "exp": 1466715496,

  "email": "to...@toto.com",

  "email_verified": false,

  "firebase": {

    "identities": {

      "password": [

        "to...@toto.com"

      ],

      "email": [

        "to...@toto.com"

      ]

    }

  }

}

I am not doing any account linking, at least none that I'm aware of. I configured Firebase to prevent the creation of multiple accounts with the same email address using the relevant setting in the console. 

If it's any help, I didn't test using verified e-mail addresses.

Thanks,

Alex

[Jacob Wenger]

Thanks Alex,

This info is extremely helpful for us! This is definitely a bug on our side but I think we have a good understanding of it now. I looped in a handful of internal folks on a separate internal thread and we will figure out the extent of the issue and report back when we have more information about when you can expect a fix. Hang tight while we get the right people on this.

Cheers,

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/b0935207-5a4a-41a8-90bd-c9f025cac206%40googlegroups.com.

[Jacob Wenger]

I actually have a workaround for you in the meantime. We populate auth.token in your Security Rules with the contents of the auth payload that you posted to me. You can use that to write a rule to enforce that a user is an email / password user:

".write": "auth.token.firebase.identities.email !== null"

Note that anonymous users will not be listed in identities, but Google users will similarly have a non-null value for auth.token.firebase.identities.google.

Hope that holds you over until we fix this bug!

Cheers,

Jacob

[Alexandros Skaliotis]

Thanks very much Jacob.

I will be waiting for updates on the bug when you have some more information.

In the meantime, I'll use the workaround. Thanks for taking the time to come up with it.

[Jacob Wenger]

Hey Gabriele,

We made some backend changes which should go live in the next few days. Other changes will still be required though. It is unfortunately a bit of a gnarly thing for us to fix. You should continue to use the workaround for the time being. I'll post back here once the issue is resolved.

Cheers,

Jacob

On Wed, Jul 6, 2016 at 7:30 AM, Gabriele Destefanis <gabriele....@gmail.com> wrote:

Any news on this issue? Seems its still open

[Jacob Wenger]

I just wanted to follow up here and say that this issue has been resolved. auth.provider should now be reporting the correct value. Thanks everyone for your patience.

Cheers,

Jacob