Basic user authentication with records in AngularFire
Posted
by
ajkochanowicz
on Stack Overflow
See other posts from Stack Overflow
or by ajkochanowicz
Published on 2013-10-20T18:27:35Z
Indexed on
2013/10/21
3:54 UTC
Read the original article
Hit count: 186
firebase
|angularfire
Having spent literally days trying the different, various recommended ways to do this, I've landed on what I think is the most simple and promising. Also thanks to the kind gents from this SO question: Get the index ID of an item in Firebase AngularFire
Curent setup
Users can log in with email and social networks, so when they create a record, it saves the userId
as a sort of foreign key.
Good so far. But I want to create a rule so twitter2934392
cannot read facebook63203497
's records.
Off to the security panel
Match the IDs on the backend
Unfortunately, the docs are inconsistent with the method from is firebase user id unique per provider (facebook, twitter, password) which suggest appending the social network to the ID. The docs expect you to create a different rule for each of the login method's ids. Why anyone using >1 login method would want to do that is beyond me.
(From: https://www.firebase.com/docs/security/rule-expressions/auth.html)
So I'll try to match the concatenated auth.provider
with auth.id
to the record in userId
for the respective registry
item.
According to the API, this should be as easy as
In my case using $registry
instead of $user
of course.
{
"rules": {
".read": true,
".write": true,
"registry": {
"$registry": {
".read": "$registry == auth.id"
}
}
}
}
But that won't work, because (see the first image above), AngularFire sets each record under an index value. In the image above, it's 0
. Here's where things get complicated.
Also, I can't test anything in the simulator, as I cannot edit {some: 'json'}
To even authenticate. The input box rejects any input.
My best guess is the following.
{
"rules": {
".write": true,
"registry": {
"$registry": {
".read": "data.child('userId').val() == (auth.provider + auth.id)"
}
}
}
}
Which both throws authentication errors and simultaneously grants full read access to all users. I'm losing my mind. What am I supposed to do here?
© Stack Overflow or respective owner