Authorizing HTTP request to Realtime Database against auth.uid rule

[Michelle Ran]

Hi! I'm wondering if it's possible to authorize an HTTP request to a node in the Realtime Database that's protected by a rule like:

$uid: {
    .read: "auth.uid === $uid",
    .write: "auth.uid === $uid"
}

I know you can authorize a request with an id token by appending auth=<id_token> to the url, but I'm not sure how to pass a uid in.

Thanks!

[Michael Bleigh]

The ID Token is a JSON Web Token (JWT) that embeds information about the user including uid. If you pass a proper Firebase Auth ID Token to the Realtime Database as an auth token, the UID will be available inside.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9511aa96-d0b0-484c-b39a-5b9399a7d8a5%40googlegroups.com.

[Michelle Ran]

Ah, gotcha!

The reason why this came up was because I was having issues with a patch request - just to clarify, in order to patch at a path in the database, does the client need to be authorized to write to all of the child nodes at the path?

More specifically, if I have a database like this

{
    "child1": {
    }
}

On Sunday, February 16, 2020 at 12:24:31 PM UTC-8, Michael Bleigh wrote:

The ID Token is a JSON Web Token (JWT) that embeds information about the user including uid. If you pass a proper Firebase Auth ID Token to the Realtime Database as an auth token, the UID will be available inside.

On Sun, Feb 16, 2020 at 8:54 AM Michelle Ran <ranm...@usc.edu> wrote:

Hi! I'm wondering if it's possible to authorize an HTTP request to a node in the Realtime Database that's protected by a rule like:

$uid: {
    .read: "auth.uid === $uid",
    .write: "auth.uid === $uid"
}

I know you can authorize a request with an id token by appending auth=<id_token> to the url, but I'm not sure how to pass a uid in.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fireba...@googlegroups.com.

[Michelle Ran]

Whoops, sent that reply too early. The patch was directed at the top level of the database and trying to make changes to 2 child nodes (which the client was authorized to write to), but there was also a sibling node that the client wasn't authorized to write to.

On Sunday, February 16, 2020 at 12:24:31 PM UTC-8, Michael Bleigh wrote:

The ID Token is a JSON Web Token (JWT) that embeds information about the user including uid. If you pass a proper Firebase Auth ID Token to the Realtime Database as an auth token, the UID will be available inside.

On Sun, Feb 16, 2020 at 8:54 AM Michelle Ran <ranm...@usc.edu> wrote:

Hi! I'm wondering if it's possible to authorize an HTTP request to a node in the Realtime Database that's protected by a rule like:

$uid: {
    .read: "auth.uid === $uid",
    .write: "auth.uid === $uid"
}

I know you can authorize a request with an id token by appending auth=<id_token> to the url, but I'm not sure how to pass a uid in.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fireba...@googlegroups.com.