I'm working on a site, using firebase
The security was:
{
"rules": {
"users": {
".read": true,
".write": true
}
}
}
So everyone can add their info, but none can access the main part.
But when someone now types this in the console:
ref = new Firebase("https://xxx.firebaseio.com/users");
ref.createUser({
email: email,
password: password
}, function(error, userData) {});
ref.authWithPassword({
email: email,
password: password
}, function(error, authData) {));
ref.remove();
all userdata will be removed.
All users have their own uid (e.g. simplelogin:58) and storageID (e.g. -Js18LFoT0SmFi2Iq4GP)
could I maybe do something with those? I really don't want anyone to be able to remove all of my user data, but I need to let the users edit their own info, and to remove their account when they'd like to.
Here's some of my code:
function register() {
var ref = new Firebase("https://fiery-heat-xxx.firebaseio.com/");
ref.createUser({
email: email,
password: password
}, function(error, userData) {
if (error) {
alert("Error creating user: " + error)
} else {
console.log("Successfully created user account with uid:", userData.uid);
var uid = userData.uid
var usersRef = new Firebase("https://fiery-heat-xxx.firebaseio.com/users/" + uid)
var newUser = usersRef.set({
faveShow1: "",
faveShow2: "",
faveShow3: "",
faveShow4: "",
faveShow5: "",
faveShow6: "",
faveShow7: "",
faveShow8: "",
faveShow9: "",
faveShow10: "",
uid: uid
});
//var key = newUser.key();
//console.log(key)
login();
}
});
}
function login() {
clear();
var ref = new Firebase("https://fiery-heat-xxx.firebaseio.com/");
ref.authWithPassword({
email: email,
password: password
}, function(error, authData) {
if (error) {
alert("Login Failed!" + error);
} else {
console.log("Authenticated successfully with payload:", authData);
thisAuthData = authData.uid;
var usersRef = new Firebase("https://fiery-heat-xxx.firebaseio.com/users/" + thisAuthData);
usersRef.on("value", function(snapshot) {
for (var i = 0; i < 1; i++) {
console.log(snapshot.val())
if (true) {
globalAuthData = snapshot.val();
//globalKey = amount;
var SS = snapshot.val()
show1 = SS.faveShow1;
show2 = SS.faveShow2;
show3 = SS.faveShow3;
show4 = SS.faveShow4;
show5 = SS.faveShow5;
show6 = SS.faveShow6;
show7 = SS.faveShow7;
show8 = SS.faveShow8;
show9 = SS.faveShow9;
show10 = SS.faveShow10;
//...//
}
}
}, function(errorObject) {
alert("The read failed: " + errorObject.code);
});
}
});
}
function removeUser() {
clear();
var ref = new Firebase("https://fiery-heat-xxx.firebaseio.com/");
var refSer = new Firebase("https://fiery-heat-xxx.firebaseio.com/users/" + thisAuthData)
ref.removeUser({
email: email,
password: password
}, function(error) {
if (error === null) {
alert("User removed successfully");
refSer.remove();
logoff();
} else {
console.log("Error removing user:", error);
}
});
}
function edit() {
clear();
var fredNameRef = new Firebase('https://fiery-heat-xxx.firebaseio.com/users/' + thisAuthData);
var onComplete = function(error) {
if (error) {
console.log('Synchronization failed');
} else {
console.log('Synchronization succeeded');
console.log(thisAuthData);
console.log(globalAuthData);
login();
}
};
if (document.getElementById("form1").value != "") {
var show1 = document.getElementById("form1").value;
}
var show2 = document.getElementById("form2").value;
var show3 = document.getElementById("form3").value;
var show4 = document.getElementById("form4").value;
var show5 = document.getElementById("form5").value;
var show6 = document.getElementById("form6").value;
var show7 = document.getElementById("form7").value;
var show8 = document.getElementById("form8").value;
var show9 = document.getElementById("form9").value;
var show10 = document.getElementById("form10").value;
fredNameRef.update({
faveShow1: show1,
faveShow2: show2,
faveShow3: show3,
faveShow4: show4,
faveShow5: show5,
faveShow6: show6,
faveShow7: show7,
faveShow8: show8,
faveShow9: show9,
faveShow10: show10,
}, onComplete);
}
function logoff() {
clear()
var ref = new Firebase('https://fiery-heat-xxx.firebaseio.com/')
ref.unauth();
//...//
}
}
and my securety rules:
{
"rules": {
"users": {
"$user_id": {
".write": "$user_id === auth.uid"
},
".read": true
}
}
}
But I can't register or update right now...
To make sure a user's information can only be edited by that user, you want to use auth.uid.
https://www.firebase.com/docs/web/guide/understanding-security.html
The most important built-in variable is auth. This variable is
populated after your user authenticates. It contains data about them
and auth.uid, a unique, alphanumeric identifier that works across
providers. The auth variable is the foundation of many rules.
{
"rules": {
"users": {
"$user_id": {
".write": "$user_id === auth.uid"
}
}
}
}
To make it a little more clear, auth.uid refers to the currently logged in user, and $user_id refers to the location in database. The $ points to the $location rule variable:
https://www.firebase.com/docs/security/api/rule/path.html
{ "rules": {
"users": {
"$user": {
".read": "auth.uid === $user",
".write": "auth.uid === $user"
}
}
}
}
When a user authenticates to a Firebase app, three things happen:
Information about the user is returned in callbacks on the client
device. This allows you to customize your app's user experience for
that specific user.
The user information returned contains a uid (a
unique ID), which is guaranteed to be distinct across all providers,
and to never change for a specific authenticated user. The uid is a
String that contains the name of the provider you're authenticating
with, followed by a colon and a unique id returned from the provider.
The value of the auth variable in your app's Security and Firebase
Rules becomes defined. This variable is null for unauthenticated
users, but for authenticated users it is an object containing the
user's unique (auth.uid) and potentially other data about the user.
This allows you to securely control data access on a per-user basis.
Related
i am working on Amazon lex. when i give input to amazon lex its gives me following error
i add lambda function in Fulfillment and from lambda i am getting customer information from MySQL Database
here is my lambda function
const mysql = require('mysql');
var pool = mysql.createPool({ // a connection pool is a cache of database connections maintained so that the connections can be reused when future requests to the database are required
host: process.env.RDS_HOSTNAME,
user: process.env.RDS_USERNAME,
password: process.env.RDS_PASSWORD,
port: process.env.RDS_PORT,
database: process.env.RDS_DATABASE
});
exports.handler = (event, context, callback) => {
let MembershipNumber = event.currentIntent.slots.MembershipNumber;
// allows for using callbacks as finish/error-handlers
context.callbackWaitsForEmptyEventLoop = false;
pool.getConnection(function(err, connection) {
if (err) throw err;
let sql = "select * from Sales.CustomerTable where MembershipNumber= ? LIMIT 1";
let field = [MembershipNumber];
connection.query(sql,field, function (err, result, fields) {
if (err) {
console.log(err); // an error occurred
context.fail(buildResponse(false));
}
else {
if (result.length === 1) {
//console.log(data.Items[0].Arrival_city);
var FirstName = result[0].FirstName;
var LastName = result[0].LastName;
var Address = result[0].Address;
var PrimaryPhone = result[0].PrimaryPhone;
var SecondaryPhone = result[0].SecondaryPhone;
var Email = result[0].Email;
var Type = result[0].Type;
var MembershipNumber = result[0].MembershipNumber;
var Pin = result[0].Pin;
callback(null, {
"dialogAction": {
"type": "ConfirmIntent",
"fulfillmentState": "Fulfilled",
"message": {
"contentType": "PlainText",
"content": FirstName,LastName,Address,PrimaryPhone,SecondaryPhone,Email,Type,MembershipNumber,Pin
}
}
});
}
else {
console.log("Membership Number not found");
callback(null, buildResponse(true, "none"));
}
}
});
});
};
function buildResponse(isSuccess, FirstName, LastName, Address, PrimaryPhone, SecondaryPhone, Email, Type, MembershipNumber, Pin) {
if (isSuccess) {
return {
FirstName: FirstName,
LastName: LastName,
Address: Address,
PrimaryPhone: PrimaryPhone,
SecondaryPhone: SecondaryPhone,
Email:Email,
Type:Type,
MembershipNumber:MembershipNumber,
Pin:Pin,
lambdaResult: "success"
};
}
else {
console.log("Lambda returned error to Connect");
return { lambdaResult: "Error" };
}
}
here is the test event object
{
"messageVersion": "1.0",
"invocationSource": "FulfillmentCodeHook",
"userId": "user-1",
"sessionAttributes": {},
"bot": {
"name": "Sales",
"alias": "sales",
"version": "$LATEST"
},
"outputDialogMode": "Text",
"currentIntent": {
"name": "iamamember",
"slots": {
"MembershipNumber": "78541258"
},
"confirmationStatus": "None"
}
}
i want to integrate this with my contact flow. i don't what is this error about. If anyone of you know help me. Thanks
From the error message, the response JSON from lambda is not matching with what Lex expects. As per the error message, it appears that this line has the problem:
"content": FirstName,LastName,Address,PrimaryPhone,SecondaryPhone,Email,Type,MembershipNumber,Pin
The value of content needs to be a string. However, from your screenshot, this is getting resolved as "content": "alys", "Lastname",...
I believe what you want to do is a concatenation of FirstName, LastName and all the other things you want to return in the content. Use a correct function that will do concatenation of these fields and then put them as comma-separated.
Reference: https://docs.aws.amazon.com/lex/latest/dg/lambda-input-response-format.html
I have recently been developing a MERN application and I have recently came into the trouble that express is saying that I am setting headers after they are sent.
I am using mongo db and trying to update a user profile.
I have tried to comment out my res.send points to find the issue but I have failed to do so.
Here is my post method for updating the user profile:
app.post("/api/account/update", (req, res) => {
const { body } = req;
// Validating and Checking Email
if (body.email) {
var email = body.email;
email = email.toLowerCase();
email = email.trim();
body.email = email;
User.find(
{
email: body.email
},
(err, previousUsers) => {
if (previousUsers.length > 0) {
return res.send({
success: false,
message:
"Error: There is already another account with that email address"
});
} else {
}
}
);
}
// Validating Names Function
function checkName(name) {
var alphaExp = /^[a-zA-Z]+$/;
if (!name.match(alphaExp)) {
return res.send({
success: false,
message: "Error: Names cannot contain special characters or numbers"
});
}
}
checkName(body.firstName);
checkName(body.lastName);
// Making sure that all fields cannot be empty
if (!body.email && !body.firstName && !body.lastName) {
return res.send({
success: false,
message: "Error: You cannot submit nothing"
});
}
// Getting User ID from the current session
UserSession.findById(body.tokenID, function(err, userData) {
// Finding User ID using the current users session token
if (userData.isDeleted) {
return res.send({
success: false,
message:
"Error: Session token is no longer valid, please login to recieve a new one"
});
}
// Deleting the token ID from the body object as user table entry doesnt store tokens
delete body.tokenID;
// Finding the user profile and updating fields that are present
User.findByIdAndUpdate(userData.userId, body, function(err, userInfo) {
if (!err) {
return res.send({
success: true,
message: "Success: User was updated successfully"
});
}
});
});
});
This is the call that I am doing to the backend of the site:
onUpdateProfile: function(fieldsObj) {
return new Promise(function(resolve, reject) {
// Get Session Token
const obj = getFromStorage("the_main_app");
// Defining what fields are getting updated
fieldsObj.tokenID = obj.token;
// Post request to backend
fetch("/api/account/update", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify(fieldsObj)
})
.then(res => {
console.log("Verify Token - Res");
return res.json();
})
.then(json => {
console.log("Verify Token JSON", json);
if (json.success) {
window.location.href = `/manage-account?success=${json.success}`;
} else {
window.location.href = `/manage-account?success=${json.success}`;
}
});
});
}
Here is my error message that I am getting:
Error: Can't set headers after they are sent.
at validateHeader (_http_outgoing.js:491:11)
at ServerResponse.setHeader (_http_outgoing.js:498:3)
at ServerResponse.header (C:\Users\kieran.corkin\Desktop\Projects\Mern Template Final\mern-cra-and-server\server\node_modules\express\lib\response.js:767:10)
at ServerResponse.send (C:\Users\kieran.corkin\Desktop\Projects\Mern Template Final\mern-cra-and-server\server\node_modules\express\lib\response.js:170:12)
at ServerResponse.json (C:\Users\kieran.corkin\Desktop\Projects\Mern Template Final\mern-cra-and-server\server\node_modules\express\lib\response.js:267:15)
at ServerResponse.send (C:\Users\kieran.corkin\Desktop\Projects\Mern Template Final\mern-cra-and-server\server\node_modules\express\lib\response.js:158:21)
at C:\Users\kieran.corkin\Desktop\Projects\Mern Template Final\mern-cra-and-server\server\routes\api\account.js:270:22
at C:\Users\kieran.corkin\Desktop\Projects\Mern Template Final\mern-cra-and-server\server\node_modules\mongoose\lib\model.js:4641:16
at process.nextTick (C:\Users\kieran.corkin\Desktop\Projects\Mern Template Final\mern-cra-and-server\server\node_modules\mongoose\lib\query.js:2624:28)
at _combinedTickCallback (internal/process/next_tick.js:131:7)
at process._tickCallback (internal/process/next_tick.js:180:9)
[nodemon] app crashed - waiting for file changes before starting...
Can anyone help me with this?
EDIT
I have changed my code, this seems to now work however I feel like its a little messy when put together. Any refactoring tips?
Code:
app.post("/api/account/update", (req, res) => {
// Preform checks on data that is passed through
const { body } = req;
var messages = {
ExistedUser:
"Error: There is already another account with that email address",
NameFormat: "Error: Names cannot contain special characters or numbers",
BlankInputs: "Error: You cannot submit nothing",
accountLoggedOut:
"Error: Session token is no longer valid, please login to recieve a new one",
successfullyUpdated: "Success: User was updated successfully"
};
var usersFound;
if (body.email) {
var email = body.email;
email = email.toLowerCase();
email = email.trim();
body.email = email;
User.find(
{
email: body.email
},
(err, UserCount) => {
usersFound = UserCount;
}
);
}
function capitalize(text) {
return text.replace(/\b\w/g, function(m) {
return m.toUpperCase();
});
}
if (body.firstName) {
body.firstName = capitalize(body.firstName);
}
if (body.lastName) {
body.lastName = capitalize(body.lastName);
}
//Making sure that all fields cannot be empty
if (!body.email && !body.firstName && !body.lastName) {
return res.send({
success: false,
message: messages.BlankInputs
});
}
// Getting User ID from the current session
UserSession.findById(body.tokenID, function(err, userData) {
// Finding User ID using the current users session token
if (userData.isDeleted) {
return res.end({
success: false,
message: messages.accountLoggedOut
});
}
if (userData) {
// Deleting the token ID from the body object as user table entry doesnt store tokens
delete body.tokenID;
// Finding the user profile and updating fields that are present
User.findByIdAndUpdate(userData.userId, body, function(err, userInfo) {
if (userInfo) {
if (!usersFound.length > 0) {
return res.send({
success: true,
message: messages.successfullyUpdated
});
} else {
return res.send({
success: false,
message: messages.ExistedUser
});
}
}
});
}
});
});
You're calling res.send() twice. res.send() ends the process. You ought to refactor such that you call res.write() and only call res.send() when you're done.
This StackOverflow link describes the difference in more detail. What is the difference between res.send and res.write in express?
I believe this is happening, as you're trying to send a response after the first / initial response has already been sent to the browser. For example:
checkName(body.firstName);
checkName(body.lastName);
Running this function twice is going to try and yield 2 different "response" messages.
The product of a single route, should ultimately be a single response.
Thanks for all your help on this issue.
Here is my final code that allowed it to work.
I have also tried to "refactor" it too. Let me know if you'd do something else.
app.post("/api/account/update", (req, res) => {
const { body } = req;
console.log(body, "Logged body");
// Defining objects to be used at the end of request
var updateUserInfo = {
userInfo: {},
sessionToken: body.tokenID
};
var hasErrors = {
errors: {}
};
// Checking that there is at least one value to update
if (!body.email && !body.firstName && !body.lastName) {
var blankError = {
success: false,
message: "Error: You cannot change your details to nothing"
};
hasErrors.errors = { ...hasErrors.errors, ...blankError };
} else {
console.log("Normal Body", body);
clean(body);
console.log("Cleaned Body", body);
updateUserInfo.userInfo = body;
delete updateUserInfo.userInfo.tokenID;
}
// Function to check if object is empty
function isEmpty(obj) {
if (Object.keys(obj).length === 0) {
return true;
} else {
return false;
}
}
// Function to remove objects from body if blank
function clean(obj) {
for (var propName in obj) {
if (obj[propName] === "" || obj[propName] === null) {
delete obj[propName];
}
}
}
// Checking and Formatting Names Given
function capitalize(text) {
return text.replace(/\b\w/g, function(m) {
return m.toUpperCase();
});
}
if (body.firstName) {
body.firstName = capitalize(body.firstName);
}
if (body.lastName) {
body.lastName = capitalize(body.lastName);
}
// Checking and formatting email
if (body.email) {
body.email = body.email.toLowerCase();
body.email = body.email.trim();
// Checking for email in database
User.find({ email: body.email }, (err, EmailsFound) => {
if (EmailsFound.length > 0) {
var EmailsFoundErr = {
success: false,
message: "There is already an account with that email address"
};
hasErrors.errors = { ...hasErrors.errors, ...EmailsFoundErr };
}
});
}
// Getting User Session Token
UserSession.findById(updateUserInfo.sessionToken, function(err, userData) {
// Finding User ID using the current users session token
if (userData.isDeleted) {
var userDeletedError = {
success: false,
message:
"Your account is currently logged out, you must login to change account details"
};
hasErrors.errors = { ...hasErrors.errors, ...userDeletedError };
} else {
// Finding the user profile and updating fields that are present
User.findByIdAndUpdate(
userData.userId,
updateUserInfo.userInfo,
function(err, userInfo) {
// userInfo varable contains user db entry
if (err) {
var updateUserError = {
success: false,
message: "Error: Server Error"
};
hasErrors.errors = {
...hasErrors.errors,
...updateUserError
};
}
if (isEmpty(hasErrors.errors)) {
res.send({
success: true,
message: "Success: You have updated your profile!"
});
} else {
res.send({
success: false,
message: hasErrors.errors
});
}
}
);
}
});
});
I'm new to Web Development, especially to Firebase.
I'm trying to check if there are no errors while creating a user in Firebase Authentication system, so I can put this user into Database.
Here's my code:
function register() {
var firebaseRef = firebase.database().ref();
var shaObj = new jsSHA("SHA-256", "TEXT")
shaObj.update(passwordField.value)
//console.log(hash)
var email = emailField.value
var password = shaObj.getHash("HEX")
if (isBarber != null) {
if (email != "" && password != "") {
firebase.auth().createUserWithEmailAndPassword(email, password).catch(function(error) {
$('#errorMsg').show();
$('#errorMsg').text(error.message);
if (error === null) {
var user = firebase.auth().currentUser;
var userID = user.uid;
firebase.database().ref('users/' + userID).set({
userEmail: email,
userPassword: password,
userIsBarber: isBarber
})
}
});
} else {
alert('Email or password fields are empty')
}
} else {
alert('Select your role')
}
}
createUserWithEmailAndPassword works properly and creates a user, but I don't know how to check if there are no errors so I could add this user to database.
Thanks a lot
You can use then() to action on a successful registration as follows:
firebase.auth().createUserWithEmailAndPassword(email, password).then(function(user) {
//Registration is successful
var user = firebase.auth().currentUser;
var userID = user.uid;
firebase.database().ref('users/' + userID).set({
userEmail: email,
userPassword: password,
userIsBarber: isBarber
})
}).catch(error) {
//Registration unsuccessful
$('#errorMsg').show();
$('#errorMsg').text(error.message);
});
I have problems with read permission.
It will be helpfull if someone help me.
Note: the authentification work the user is loged...
Write permissions work but read permissions are denied.
I have this code:
{
"rules": {
"user":{
"$uid":{
".read": "auth.uid==$uid", // i try with ===
".write": "auth.uid==$uid" // i try with ===
}
}
}
}
This is the javascript code:
var userRef= db.ref().child("user/"+id);
userRef.on('child_added', data=>{
console.log(data.val());
});
userRef.on('child_changed', data=>{
console.log(data.val());
});
userRef.on('child_removed', data=>{
console.log(data.val());
});
function insertUser(){
db.ref("user/"+id).set({
email:email,
name:name
});
}
I also try with:
This make me a error on JavaScript
var userRef= db.ref("user").child(id);
I put ".read": true, but nothing happen yet!
I get the id in that way:
firebase.auth().onAuthStateChanged(
function(user){
if (user) {
if (user != null) {
user.providerData.forEach(function (profile) {
name = profile.displayName;
email = profile.email;
photoUrl = profile.photoURL;
id=user.uid;
var img = document.querySelector('#simg');
var p = document.querySelector('#p');
img.src=photoUrl;
p.innerHTML=name;
pemail.innerHTML=email;
});
}
}
Thanks!
I have a Node app with a Firebase db with security like this :
{
"rules": {
".read": true,
"albums": {
".write": "auth != null",
}
}
}
I login like this:
var firebaseTokenGenerator = require('firebase-token-generator'),
firebase = require('firebase');
var tokenGenerator = new firebaseTokenGenerator('my key');
var token = tokenGenerator.createToken();
var albumRef = new firebase('https://glowing-fire-8113.firebaseio.com/albums');
albumRef.auth(token, function(err) {
if(err) {
console.log("Authentication failed!");
} else {
console.log("Login succeeded!");
}
});
I get "Login succeeded!" printed to the console.
Then, later on I call this function:
var addAlbum = function(album, callback) {
if(album["album"] && album["artist"] && album["image"]) {
albumRef.push().set(album);
callback(null);
}
callback(new Error("Album JSON was missing some items"));
};
But, I get this printed out:
FIREBASE WARNING: set at /albums/-JMU95j8W4Vz3kchhNzL failed: permission_denied
What is going on here? Am I doing authentication incorrectly?
For reference, I'm using
"firebase" : "1.0.14",
"firebase-token-generator" : "0.1.4",