问题
I am developing an iOS app using Firebase (the newest) and I am having trouble with the auth.provider expression in the security rules when the user is authenticated using an email and password. I expect the auth.provider expression to return password but instead it looks like it returns anonymous.
In the Firebase console, I have enabled Email/Password and Google as providers, and have set up the following security rules:
{
"rules": {
"users": {
"$uid": {
// the user is allowed to read
".read": "auth.uid === $uid",
// the non-anonymous user is allowed to write
".write": "auth.uid === $uid && auth.provider !== 'anonymous'"
// more here, omitted for brevity
}
}
}
}
In my app, when signing in as a user XYZ with an e-mail and password, I am not able to set a value under the /users/XYZ node. I am getting a "permission denied" error. This is not the case with users signing-in with Google credentials, where it works as expected.
It looks like the culprit is the condition auth.provider !== 'anonymous'. For an e-mail/password sign-in, I expect the provider to be equal to password; instead it appears to be set to anonymous. The Firebase documentation lists "password" as a possible value for auth.provider: https://firebase.google.com/docs/reference/security/database/#auth
This issue has bigger ramifications, when one enables the new "anonymous authentication" feature (see https://firebase.google.com/docs/auth/ios/anonymous-auth). As I understand it, using auth.provider in the security rules would allow one to distinguish between an "anonymous" user and a "password" user.
Am I looking at a bug or am I making a beginner's mistake somewhere in my reasoning?
For reference, here are the SDK versions I am using (excerpt from CocoaPods output):
Using Firebase (3.2.1)
Using FirebaseAuth (3.0.2)
Using FirebaseDatabase (3.0.1)
回答1:
The Firebase team confirmed that there is a bug somewhere on their side and are working for a fix. In the meantime, there is a workaround to be found in the link below:
https://groups.google.com/d/topic/firebase-talk/C-ljg-CCKl0/discussion
The workaround consists of using the following security rule for detecting that the user authenticated using an e-mail address:
auth.token.firebase.identities.email !== null
回答2:
Not being very helpful, but I wanted to say I have the same issue using the Javascript client API. I've sent a support question to the Firebase team. If I get any updates I'll post them here.
来源:https://stackoverflow.com/questions/37624131/auth-provider-is-not-set-to-password-when-user-signs-in-with-email-and-passwor