auth.token.email_verified permission denied

209 views
Skip to first unread message

Noah Neumark

unread,
Oct 27, 2017, 2:19:15 AM10/27/17
to Firebase Google Group
I'm trying to use a security rule to allow only verified email users to .write to a particular key. 

I'm using Email/Password login.

Looking at the user object, I see that the user has in fact email verified, but when I use the simulator or try to run the website, I get  PERMISSION_DENIED: Permission denied.  In the simulator, it fails on the expected line due to the "auth.token.email_verified == true" rule.  When I changed it to "auth.token.email == {usersEmail}"  it still failed, which led me to believe it was the token.  So I tried "auth.token == null" which passed, which I suspect means there is an issue with simulating or receiving a token.  Any idea what would cause this?

Kato Richardson

unread,
Oct 31, 2017, 2:20:22 PM10/31/17
to Firebase Google Group
Hi Noah,

Assume these are security rules for the Realtime Database here. Note that you probably need to reauthenticate and get a fresh token before any changes will appear. So probably have to log out / log in to get them to take affect. Note that you can also just store meta data in the DB and refer to that in your rules, which can help with special cases.

If you want us to have a better look at this, we'll probably need some code to repro (something like a jsfiddle or plunkr would be ideal) and more complete security rules so we can understand the context.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/1df99eee-0143-41ef-8a6e-e3102ee54b9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Jonathan Bourland

unread,
Jun 22, 2018, 3:56:16 PM6/22/18
to Firebase Google Group
Hi Kato,

I've been running into the same issue in the Simulator for a while (and finally got curious/needy enough to look for solutions). I've tried logging out / in and had no luck. Here are my complete (very simple) security rules for my Firebase Realtime Database: 

{
  "rules": {
    ".read": "auth.token.email_verified === true",
    ".write": "auth.token.email_verified === true"
  }
}

Trying to access my /users collection (or any collection) I've tried the following:
  •  Used "Custom" provider and altered the auth token JSON to use a uid with a verified email.
  •  Used "Custom" provider and altered the auth token JSON to use a uid with a verified email and added "email_verified": "true".
  • Used "Anonymous" provider and put the same valid uid the UID field.
With each, I've gotten "Read denied." Screenshot:



On a positive note, in actual practice, in my app, things actually work correctly. So, it seems like either there's an issue with the Simulator or it's just not clear how to test email_verified rules.


Thank you!

Jonathan 




On Tuesday, October 31, 2017 at 2:20:22 PM UTC-4, Kato Richardson wrote:
Hi Noah,

Assume these are security rules for the Realtime Database here. Note that you probably need to reauthenticate and get a fresh token before any changes will appear. So probably have to log out / log in to get them to take affect. Note that you can also just store meta data in the DB and refer to that in your rules, which can help with special cases.

If you want us to have a better look at this, we'll probably need some code to repro (something like a jsfiddle or plunkr would be ideal) and more complete security rules so we can understand the context.

☼, Kato
On Thu, Oct 26, 2017 at 4:43 PM, Noah Neumark <noahn...@gmail.com> wrote:
I'm trying to use a security rule to allow only verified email users to .write to a particular key. 

I'm using Email/Password login.

Looking at the user object, I see that the user has in fact email verified, but when I use the simulator or try to run the website, I get  PERMISSION_DENIED: Permission denied.  In the simulator, it fails on the expected line due to the "auth.token.email_verified == true" rule.  When I changed it to "auth.token.email == {usersEmail}"  it still failed, which led me to believe it was the token.  So I tried "auth.token == null" which passed, which I suspect means there is an issue with simulating or receiving a token.  Any idea what would cause this?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/1df99eee-0143-41ef-8a6e-e3102ee54b9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages