Basic user authentication with records in AngularFire

Posted by ajkochanowicz on Stack Overflow See other posts from Stack Overflow or by ajkochanowicz
Published on 2013-10-20T18:27:35Z Indexed on 2013/10/21 3:54 UTC
Read the original article Hit count: 186

Filed under:
|

Having spent literally days trying the different, various recommended ways to do this, I've landed on what I think is the most simple and promising. Also thanks to the kind gents from this SO question: Get the index ID of an item in Firebase AngularFire

Curent setup

Users can log in with email and social networks, so when they create a record, it saves the userId as a sort of foreign key.

enter image description here

Good so far. But I want to create a rule so twitter2934392 cannot read facebook63203497's records.

Off to the security panel

enter image description here

Match the IDs on the backend

Unfortunately, the docs are inconsistent with the method from is firebase user id unique per provider (facebook, twitter, password) which suggest appending the social network to the ID. The docs expect you to create a different rule for each of the login method's ids. Why anyone using >1 login method would want to do that is beyond me.

enter image description here

(From: https://www.firebase.com/docs/security/rule-expressions/auth.html)

So I'll try to match the concatenated auth.provider with auth.id to the record in userId for the respective registry item.

According to the API, this should be as easy as

enter image description here

In my case using $registry instead of $user of course.

{
  "rules": {
    ".read": true,
    ".write": true,
    "registry": {
      "$registry": {
        ".read": "$registry == auth.id"
      }
    }
  }
}

But that won't work, because (see the first image above), AngularFire sets each record under an index value. In the image above, it's 0. Here's where things get complicated.

Also, I can't test anything in the simulator, as I cannot edit {some: 'json'} To even authenticate. The input box rejects any input.

enter image description here

My best guess is the following.

{
  "rules": {
    ".write": true,
    "registry": {
      "$registry": {
        ".read": "data.child('userId').val() == (auth.provider + auth.id)"
      }
    }
  }
}

Which both throws authentication errors and simultaneously grants full read access to all users. I'm losing my mind. What am I supposed to do here?

© Stack Overflow or respective owner

Related posts about firebase

Related posts about angularfire