My data on Firebase should only be readable in the context of my web page and not, for example, by opening a Firebase URL.
For users that are not already registered, I use signInAnonymously() which gives them a user.uid but they still do not appear to be authenticated. Thus, the rule ".read": "auth != null" results in PERMISSION_DENIED for these users, even though they have a user object.
Here's my JavaScript:
$(document).ready(function () {
var config = {
apiKey: "<my api key>",
authDomain: "<my firebase>.firebaseapp.com",
databaseURL: "https://<my firebase>.firebaseio.com",
storageBucket: "<my firebase>.appspot.com"
};
firebase.initializeApp(config);
firebase.auth().onAuthStateChanged(function (user) {
if (user) {} else {
firebase.auth().signInAnonymously();
}
});
var ref = new Firebase("https://<my firebase>.firebaseio.com/offices/some_office");
ref.on("value", function (snapshot) {
var name = snapshot.child("title").val();
console.log(snapshot.val());
}, function (errorObject) {
console.log("The read failed: " + errorObject.code);
});
});
and the corresponding rule:
"offices": {
"$office_id": {
".read": "auth != null",
".write": "auth != null"
}
},
It works when I change the read permission to true.
What rule can I use to allow only signed in anonymous users (and registered logged-in users) to read my data?
Your code is attaching a listener before the user is signed in. The Firebase Database server immediately checks the permission when the listener is first attached, so it immediately rejects the unauthorized listen.
The solution is to wait until the user is authenticated before attaching the listener:
By the way: I highly recommend that you also update your code for the Firebase Database to version 3.x.