Expo and Firestore security rules

[kusaeva]

• Operating System version: Android/iOS
• Firebase SDK version: 4.12.1
• Firebase Product: firestore

I’m using expo and the firebase web sdk (cause native firebase sdk is not working without detaching expo project).
When I decided to set up firestore security rules like this:

service cloud.firestore {
   match /databases/{database}/documents {
     match /{document=**} {
       allow read, write: if request.auth != null;
     }
   }
 }

suddenly I got permission-denied. It appears both on Android/iOS

User is 100% authorized and I am not the only one who experiences this problem. I found it at StackOverflow, Firebase Google Group, Firebase Slack channel, Expo forums but it seems that no one creates the issue here.
The only solution was suggested at stackoverflow - downgrading firebase sdk to 4.6.2.
But I really don't like it, it has a problem with firestore on Android and need to be patched.

I understand that using firebase web sdk for Android/iOS is not the case but is there any chance that the issue will be fixed?

[mikelehen]

So just to confirm, this happens with 4.12.1 but not 4.6.2? If you can verify exactly what release the regression occurred in, that will help us track it down.

And can you capture logs by calling firebase.firestore.setLogLevel('debug') before calling any other firestore operations?

[kusaeva]

I can confirm that security rules work with 4.6.2 and stop working with 4.7.0

17:49:18 [exp] Firestore (4.10.1) 2018-04-19T14:49:18.616Z [MemoryPersistence]: Starting transaction: Start LocalStore
17:49:18 [exp] Firestore (4.10.1) 2018-04-19T14:49:18.619Z [MemoryPersistence]: Starting transaction: Get last stream token
17:49:18 [exp] Firestore (4.10.1) 2018-04-19T14:49:18.621Z [MemoryPersistence]: Starting transaction: Get next mutation batch
17:49:18 [exp] Firestore (4.10.1) 2018-04-19T14:49:18.628Z [MemoryPersistence]: Starting transaction: Allocate query
17:49:18 [exp] Firestore (4.10.1) 2018-04-19T14:49:18.629Z [MemoryPersistence]: Starting transaction: Execute query
17:49:18 [exp] Firestore (4.10.1) 2018-04-19T14:49:18.631Z [MemoryPersistence]: Starting transaction: Remote document keys
17:49:18 [exp] Firestore (4.10.1) 2018-04-19T14:49:18.636Z [Connection]: Creating WebChannel: https://firestore.googleapis.com/google.firestore.v1beta1.Firestore/Listen/channel [object Object]
17:49:18 [exp] Firestore (4.10.1) 2018-04-19T14:49:18.644Z [Connection]: Opening WebChannel transport.
17:49:18 [exp] Firestore (4.10.1) 2018-04-19T14:49:18.649Z [Connection]: WebChannel sending: {"database":"projects/subs-dev/databases/(default)","addTarget":{"documents":{"documents":["projects/subs-dev/databases/(default)/documents/users/+11111111111"]},"targetId":2}}
17:49:20 [exp] Firestore (4.10.1) 2018-04-19T14:49:20.169Z [Connection]: WebChannel transport opened.
17:49:21 [exp] Firestore (4.10.1) 2018-04-19T14:49:21.161Z [Connection]: WebChannel received: {"targetChange":{"targetChangeType":"ADD","targetIds":[2]}}
17:49:21 [exp] Firestore (4.10.1) 2018-04-19T14:49:21.162Z [Connection]: WebChannel received: {"targetChange":{"cause":{"code":7,"message":"Missing or insufficient permissions."},"targetChangeType":"REMOVE","targetIds":[2]}}
17:49:21 [exp] Firestore (4.10.1) 2018-04-19T14:49:21.167Z [MemoryPersistence]: Starting transaction: Release query
17:49:27 [exp] Uncaught Error in onSnapshot:, [FirebaseError: Missing or insufficient permissions.]
- node_modules/firebase/node_modules/@firebase/firestore/dist/cjs/src/api/database.js:553:26 in errHandler
- ... 9 more stack frames from framework internals

[mikelehen]

Thanks for the details. I've been able to reproduce the issue, though I don't know yet what's causing it. I'll let you know when I know more.

[mikelehen]

I found the PR that's seemingly responsible (the problem goes away if I revert it), but I can't figure out why. :-/ #322

The issue happens on both Android and iOS, and very suspiciously goes away if I enable the network inspector in the React Native Debugger. So I think there's probably a bug (or at least behavioral difference) in the React Native networking stack at play, but despite debugging pretty deep I haven't been able to determine what it is. :-/

[mikelehen]

I've opened PR #717 to address this by implementing the workaround of not using $httpHeaders on React Native.

For reference, my investigation up to this point:

• The issue happens on iOS and Android when using $httpHeaders to send our headers via queryparams. The issue goes away if you send the headers as normal headers instead.
• I debugged through the webchannel and React Native code to generate the request and didn't see anything suspicious with the generated URL / request options / etc.
• You can't see network requests from React Native unless you use their "React Native Debugger" and enable "Network Inspect" mode, but that (I think) routes all the network requests through Chrome, and then the issue goes away.
• AFAIK I can't use a network sniffer since the traffic is SSL-encrypted.
• So to see the requests I pointed the webchannel connection at a dummy http localhost server instead of the real Firestore, and just spun up netcat listening on a port in order to capture the requests, but I didn't see any obvious differences that would cause the React Native ones to fail.

So I'm just moving forward with the workaround.

[llccrr]

Any news about this work around ?
Having the issue too :/

[mikelehen]

@llccrr Sorry, I need to do a bit of cleanup to that PR and haven't gotten a chance. It should move forward in the next day or two. Until it lands and releases, you'll probably want to stick with Firebase 4.6.2. Sorry for the inconvenience.

[mikelehen]

Okay, my PR was merged and this should be fixed in the next release.

[llccrr]

EDIT
Ok, my bad, I tried with yarn upgrade [email protected] clean -> build -> not working.
Eventually I tried with yarn remove firebase; yarn add [email protected] -> clean -> build -> working
^^'. Thanks !

Upgraded to [email protected] and I'm still having the issue.
I'm using

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}

From the Firestore documentation to allow access to every documents if the user is signed in.
But I'm still getting: Missing or insufficient permissions. from my front-end in react-native.
I am not using expo.
Is it working for you ?

[mikelehen]

Thanks for the update. I'm not sure why you had to "yarn remove" / "yarn add" but I'm glad it worked. I'm closing this issue. If anybody is seeing this after [email protected], let us know. Thanks!

[jamesreilly5]

I was on 4.6.2 for a long time and the other day it magically broke on Android and gave me the same permissions errors. I resolved it by bumping to 5.3.1 but I'd like to understand how this happened. Is it possible that something changed in the Firestore back end to make this suddenly break?