I'm using firebase's real time database to store data, and I have permission rules set to:
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid",
".read": "$uid === auth.uid"
}
}
}
}
I'm trying to read and write to the database using rest/fetch, and it seems to be working fine. But after some investigation, it seems it only works for me specifically, and other users receive a 401 unauthorized response. My code looks like
chrome.identity.getAuthToken({ interactive: true }, (token) => {
let url = this.url `users/${id}.json?access_token=${token}`;
const headers = new Headers({
"Content-Type": "application/json",
});
fetch(url, { headers: headers })
.then((res) => {
console.log(res);
return res.json();
})
});
Token is obtained by calling getAuthToken from the extensions background page. id is found by calling chrome.identity.getProfileUserInfo:
chrome.identity.getProfileUserInfo((info) => {
email = info.email;
userId = info.id;
});
I also have the following scope, which I thought would enable reading and writing from firebase: https://www.googleapis.com/auth/datastore
Any ideas? I'm very confused why it would work, but only for me.
CodePudding user response:
From the Firebase documentation on generating an access token to access the Realtime Database REST API:
generate a Google OAuth2 access token with the following required scopes:
Most likely you're missing that second scope.
Note by the way that this will grant you full administrative access to the database, and will not follow your security rules. These people are essentially collaborators on your project: they can either see/edit all data, or they cannot.
To allow a user access to the database and follow the security rules, the user will have to sign in with Firebase Authentication, and you'll have to pass their ID token to the REST API.