Is is possible to include a payload/parameter when executing a GET request to Firebase Realtime Database, in order to access the payload/parameter in the Firebase Realtime Database rules?
Using React Native with Javascript.
Add a comment
|
1 Answer
For a GET/read request to the Realtime Database, the following information is available in your security rules:
- The path that is requested, or the
querythat was executed. - The
authvariable indicating the logged in user, including any claims inauth.token.
So if you want to pass information, you will have to put it into one of these. For example, you can make the payload part of the path, or you can store it in the user's profile as a custom claim.
Putting in the path is typically preferred for short-lived information, like a nonce or a shared secret, while a custom claim is more common for some semi-permanent state of the users, such as them being marked as an application administrator.
answered Feb 1, 2021 at 15:33
10 Comments
Jonas
Thanks for the answer! Regarding the first option, how do I access the variables in the database rules? For instance, if my path is "firebaseurl/auth?={token}?variable={variableValue}, how do i access the value of the variable in the database rules?
Frank van Puffelen
There is no way to pass a custom variable to the rules. The only two options are mentioned in my answer.
Jonas
So I should use queries? Sorry, i am not very into rules. Is it possible to pass a custom variable by using queries?
Frank van Puffelen
It isn't possible to pass a custom variable into queries. The only information that your rules have is what I've listed in my answer.
Jonas
How is it then possible to check a parameter that the user performing the request sets, up against a value in the database? To ensure secure read / write rules.
|
