How can I use realtime database in lock mode ? auth!=null ?
My app uses Xamarin.Firebase.Auth , I can create user and login also update realtime database childs but when I switch to auth=true, i can t update realtime database anymore.
I used this to work with realtime database:
var toUpdateUser = (await firebase
.Child("One")
.OnceAsync<One>()).Where(a => a.Object.Email == email).FirstOrDefault();
await firebase
.Child("One")
.Child(toUpdateUser.Key)
.PatchAsync(new Users() { Status = 0 });
For Locked mode, it denies all reads and writes from mobile and web clients. Your authenticated application servers can still access your database.
You could use the Test Mode instead.
For more details, please check the link below. https://firebase.google.com/docs/database/android/start
Sorry I meant to say auth users are allowed, not lock mode:
All authenticated users
While we don't recommend leaving your data accessible to any user that's signed in, it might be useful to set access to any authenticated user while you're developing your app.
Cloud Firestore
Realtime Database
Cloud Storage
{
"rules": {
".read": "auth.uid != null",
".write": "auth.uid != null"
}
}
If i use those rules, Firebase realtime database does not update.
If i use below rules all is fine.
{
"rules": {
".read": "auth.uid != null",
".write": "auth.uid != null"
}
}
I do login in my app with users created with Xamarin.Firebase.auth users that can be found in Firebaseconsole under Authentication but i need to callback something from Firebase i think to be able to useenter code here Realtime Database
Related
I'm using Firebase Sign with Email and getting authToken and Firebase UID
Able to access public database but I want to access protected database with authenticated user.
Firebase Real Time Database Rules
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
If you want to limit read access to authenticated users, you could leverage this in your rules like auth != null. The rule you provided could limit that the authorized user's can write and read the Data.
However, we generally recommend limiting write access further.
For example, your app may want to make sure users can only read and write their own data. In this scenario, you would want a match between the auth.uid variable and the user ID on the requested data:
{
"rules": {
"users": {
"$userId": {
".write": "$userId=== auth.uid",
".read": "$userId=== auth.uid"
}
}
}
}
I have Chat Bot created using C# SDK V4 and it has multiple water fall dialog classes each for performing specific action when a certain option is selected. The BOT has authentication also embedded using Oauth Prompt.
Channel: Web Channel
SDK: SDKV4
Language: C#
Now, I want to have the state management handled or kept in the water fall dialog as the example i see is on top of normal echo bot and if i implement the same lines on my existing bot having water fall dialog it is not working.
Coming to reason why i want state management as After authenticating the user using Oauth Prompt i am displaying the options based upon the logged in User
Now 2 or more users log in simultaneously or one after the other the other login is getting taken and data of second logged in user is getting displayed for the first user when he toggles back and forth with in the options displayed for selection.
When i logged a query on how to maintain the logged in user or refresh the logged in user i was suggested to have state management technique hence this query on how to do it in a water all dialog.
If state management is not the correct option then can you please let me know how to refresh or maintain the logged in user id?
This suspect the issue is tied to the props you are passing to Direct Line when you start up Web Chat. Referenced under Integrate with Javascript, the docs state:
Assigning userID as a static value is not recommended since this will cause all users to share state. Please see the API userID entry for more information.
When you make a call to generate a token, the userID (which should be unique to the user) should be passed along at that point, else you will run into issues of shared state.
Here is a bit of the code I run for accessing a local API that gets and returns a direct line token. As you can see, the userID is passed in the request which is then baked into the token when returned.
// Listen for incoming requests.
server.post('/directline/token', (req, res) => {
// userId must start with `dl_`
const userId = (req.body && req.body.id) ? req.body.id : `dl_${ Date.now() + Math.random().toString(36) }`;
const options = {
method: 'POST',
uri: 'https://directline.botframework.com/v3/directline/tokens/generate',
headers: {
Authorization: `Bearer ${ process.env.directLineSecret }`,
'Access-Control-Allow-Origin': '*'
},
json: {
user: {
ID: userId
}
}
};
request.post(options, (error, response, body) => {
if (!error && response.statusCode < 300) {
res.send(body);
console.log('Someone requested a token...');
} else if (response.statusCode >= 400 && response.statusCode < 500) {
res.send(response.statusCode);
} else if (response.statusCode >= 500) {
res.status(response.statusCode);
res.send('Call to retrieve token from DirectLine failed');
}
});
});
Hope of help!
I want to secure every user's database and only accessible by its own user.
when I try to access the database through some codes in unity, it gets failed and the permission to access the data gets denied.
My Firebase Security Rule
...
"rules": {
"users": {
"$user": {
".read": "auth.provider === 'facebook'",
".write": "auth !== null && auth.uid === $user"
}
}}
...
In Unity, to write data I use the following code after authenticating the user:
...
playerDbRef.Child("users").Child(UserId).Child("User_Info").Child("name").SetValueAsync(UserName);
as from the rule, only User x can access data x. but in practice that does not work.
What the problem might be? thanks in advance.
If I understand your question correctly, you're concerned about users being able to read /users/$user even if their user id doesn't match what's stored at $user. In the case of these rules, you've made it so that anyone authenticated via Facebook is able to read any value stored under /users/$user, and to lock it down you actually want your ".read" rule to be identical with your ".write" rule. IF I misinterpreted your issue, you can stop reading now.
A way to validate your rules that's really simple is to use Firebase's Realtime Database simulator built into our web console. I've embedded your sample rules as (changes are formatting and leading {}'s that you omitted):
{"rules": {
"users": {
"$user": {
".read": "auth.provider === 'facebook'",
".write": "auth !== null && auth.uid === $user"
}
}
}}
With this simulator you can see that if I try to read when unauthenticated, I'm blocked:
read unauthenticated
But when I read as any user, it lets me in:
read as any facebook user
If I click on details, it will tell me exactly why (my auth provider is facebook):
details of why the rule passed
On the other hand, you'll see that I can't subsequently write to this node:
write rejected as any user
since your write rule should be correct, unless my user id also matches:
write accepted as owning user
I hope this helps!
What's happening is say user A Logs in and provides the rights for the app to access his/her Data we extract his data then..
But what the problem is when another person Logs into his/her account using the same computer and grants permission we are getting the Data of User A and not B..
if(Request.Params["code"] != null)
{
Facebook.FacebookAPI api = new Facebook.FacebookAPI(GetAccessToken());
string me = api.Get("/me");
string meFriends = api.Get("/me/friends/");
}
I am accessing the user info by the above code ..
What should we do about it?
It's a known problem with the SDK saving the data into the session. I'm not 100% sure for C# but I guess it's the same as PHP. The SDK (in PHP ) checks if user's Signed Request is available in session:
public function getSignedRequest() {
if (!$this->signedRequest) {
if (isset($_REQUEST['signed_request'])) {
$this->signedRequest = $this->parseSignedRequest(
...
What I do is everytime I check the validity of the current user's access token. But someone mentioned that's not effective (although I tend to disagree:) ).
In short SDK doesn't check for validity and takes the data from session as first source. That's why 2nd user has the 1st user data.
I have some JavaScript that logs in a Facebook user and saves the access token to a database:
window.fbAsyncInit = function () {
FB.init({
appId: '<%=FaceBookApplicationId() %>',
status: false, // check login status
cookie: true,
oauth: true
});
};
function facebookLogin() {
FB.login(function(response) {
if (response.authResponse) {
__doPostBack('__Page', 'FacebookDeliveryButton: ' + JSON.stringify(response.authResponse));
} else {
console.log('User cancelled login or did not fully authorize.');
}
}, { scope: 'offline_access,read_stream,publish_stream,user_photos' });
}
A button click fires facebookLogin() which logs in a facebook user, getting a facebook session that includes an access token, which I JSON serialize and post to the server. The server then saves this access token to the database table FacebookDeliveryQueue.
I have a Windows service running that periodically queries the FacebookDeliveryQueue table and attempts to post on a user's wall using the access token we saved earlier:
IQueryable<FacebookDeliveryQueue> toSend = objectContext.FacebookDeliveryQueues.Where(p => !p.IsDelivered);
foreach (FacebookDeliveryQueue facebookDeliveryQueueItem in toSend)
{
string facebookAccessToken = facebookDeliveryQueueItem.Cart.FacebookAccessToken;
string facebookRecipientId = facebookDeliveryQueueItem.Cart.FacebookRecipientId;
var client = new FacebookClient(facebookAccessToken);
dynamic parameters = new ExpandoObject();
parameters.message = facebookDeliveryQueueItem.Cart.CustomMessageBody;
client.Post(facebookRecipientId + "/feed", parameters);
}
My problem is, this ONLY works with access tokens from the user that created the facebook application. E.g.
Success:
I, the creator of this application, log in and pick one of my friends to send a message to, this info is saved to the database, the service runs, my message is posted to my friend's wall.
Failure:
I log in on my dummy test account (approving the app permissions on this account), pick one of my dummy test account's friend, this info is saved to the database, the service runs and throws an invalid access token error.
Any ideas why?
Update: Switched to Oauth login -- no change. Still getting "(OAuthException) Invalid access token signature." when attempting to post to friend's wall.
Looks like you're using facebook's old login methods, which they recently just turned off, so your old access tokens aren't valid anymore? And your javascript isn't generating the right kind of token. Read the latest version of the FB.login documentation for more info on what changes you need to make. Specifically,
pass oauth: true to the FB.init call
check for response.authResponse instead of response.session now.
Also, check that your app isn't in "sandbox mode". Go to the app settings page and click on "advanced". Sandbox mode makes it so that only developers can use the app.
The persistence to the database was silently trimming the access token to 75 characters, which in the case of my own user, was enough (small user id because it's an old account) -- but five characters too short in the case of my test account which has a very large user id.
Woops.