javascript firebase firebase-realtime-database firebase-authentication firebase-security

How to send current user from Angular app to Firebase realtime database rules through REST API

I've a small Angular application deployed to Firebase. There're only 2 users. The users are authenticated with their emails addresses. I'm able to get the user data in my Angular application.

In the development phase I've used the following Realtime Database rule:

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

Naturally, I'd like to make the full database only readable and writeable for that 2 users.

I've tried to set up the following rules:

{
  "rules": {
    ".read": "auth.uid !== null",
    ".write": "auth.uid !== null"
  }
}

As expected, I receive a 401 error.

My question would be, that how should I send the uid from within the Angular app endpoint requests?

I've tried sending it via path param, like:

this.http.get(`https://myappname.firebaseio.com/data.json?auth=${uid}`).toPromise();

But passing the logged in user's uid like this won't work. Should I send it with http headers? If yes, what should be the proper syntax?

Or do I need to send anything? Maybe I just need a better realtime database rule?

Edit:

I was able to retrieve the tokenId with the auth service's constructor.

this.firebaseAuth.authState.subscribe((user: any) => {
      if (user) {
        this.userData = user;
        localStorage.setItem('user', JSON.stringify(this.userData));
        JSON.parse(localStorage.getItem('user'));
        user.getIdToken().then((idToken: any) => {
          this.idToken = idToken;
        });
      } else {
        localStorage.setItem('user', null);
        JSON.parse(localStorage.getItem('user'));
      }
    });

Now when I call an API endpoint I just simply add the idToken as a path param, like this:

return this.http.get(`https://myapp.firebaseio.com/data.json?auth=${token}`).toPromise();

And Realtime Database rule looks like this:

{
  "rules": {
    ".read": "auth !== null",
    ".write": "auth !== null"
    }
}

Solution

You interact between your Angular app and the Firebase Realtime Database with the Realtime Database REST API.

As explained in the doc, to send authenticated requests to the Realtime Database REST API through the auth query string parameter you need to generate and pass an ID token.

this.http.get(`https://myappname.firebaseio.com/data.json?auth=<ID_TOKEN>`).toPromise();

To generate this ID token, you can

Either retrieve it from the client (your Angular app) as explained here;
OR, use the Firebase Auth REST API, with the signInWithPassword method (since your users are "authenticated with their emails addresses").

Note that an ID token is totally different from a user uid.

PS: Since you are setting your rules with "auth.uid !== null", you may be interested by this SO answer.