Closing a torii authentication session leads to data permission errors

[Christian Spanring]

Hi,

I have rules that protect data from unauthorized access, e.g. a user has to login before she can read certain records.

I’ve implemented the “logout” action on my protected route in a way that a user is redirected to the application index route, where only public data is shown, and then signed out (torii session is closed with `this.get('session').close()`).

When I perform that action, I’m seeing permission errors, indicating that the current user doesn’t have access to certain records.

Am I running into some sort of race condition, where I’m closing my authentication session and some (private) Firebase data is still “hanging around”, even if I’m on a route where I wouldn’t expect it to?

I was experimenting with `store.unloadAll()` or timeout hacks, with basically the same result, meaning running into the same errors.

Any advice will be greatly appreciated!

Thanks,

Christian

[Tim Stirrat]

Hi Christian,

I would have suggested a store.unloadAll() to fix it, but you've already tried that. If you could create a MCVE that would be extremely helpful.

I'm guessing there is some value listener that becomes invalid due to the security rules. I'd love to investigate it more.

Cheers 🔥,

Tim

--
You received this message because you are subscribed to the Google Groups "Firebase + EmberJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-embe...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tim Stirrat]

To clarify, I'm sure that a store.unloadAll('someModel') would absolutely be needed in these rules protected data situations, but I'd like to get to figure out why it isn't quite working yet :)

Thanks,

Tim

[Christian Spanring]

Thanks for you response!

I’ve setup a quick example to demo the issue:

https://cspanring-perm-bug.firebaseapp.com/

"Sign In” authenticates you with a test (password) account. The “protected” route loads some data that is protected with a `“.read": "auth.uid !== null”` security rule.

“Sign Out” will run “store.unloadAll()”, followed by a transition to the index route (where no data is loaded) and then close the torii session. That is when you'll see the permission errors appearing in the browser console. Ember inspector shows that all records are gone from the store.

Source code: https://github.com/cspanring/firebase-perm-bug

Thanks again!
Christian

[Tim Stirrat]

Seriously, thank you so much, this will be a great help. 

I will look at it later today.

🍰,

Tim

[Tim Stirrat]

This is because store.unloadAll() does not seem to call each record.unloadRecord() and as such it never removes the Firebase 'value' listeners.

I'm working on a fix.

🔥,

Tim

[Tim Stirrat]

As a workaround, for now, you can use:

store.peekAll('protected-data').forEach((r) => r.unloadRecord());

🔥,

Tim

[Christian Spanring]

Excellent, that workaround solved my issue, thanks so much!