how to query from firebase realtime database with security rules applied

Question

I have setup a basic security rules of firebase realtime database for this question. Before I jump to the problem, I have created a Flutter mobile app with GetX and also I have installed http: ^0.13.4 plugin for querying.

Here is how I set the security rules

{
  "rules":{
    ".read" : "auth.uid !== null && auth.token.email_verified == true",
    ".write" : "auth.uid !== null"    
  }
}

So basically, I want users to be able to read the data if they are authenticated and email verified.

And for write rule, only if the user is authenticated and the custom claims of isAdmin is set to true. For isAdmin, I don't know to set it in the security rules.

Is it something like this?

"auth.uid !== null && root.child('isAdmin').val() == true" 

Anyways, my problem is how to query using http plugin on client side? Here is a sample of GET query

Uri url = Uri.parse('URL HERE with /.json file');

getIPTIdAndName() async {
  iptList.value = [];
  await http.get(url, headers: {"Authorization": FirebaseAuth.instance.currentUser!.uid}).then(
    (value) {
      var response = json.decode(value.body) as List<dynamic>;
      for (var i = 0; i < response.length; i++) {
        iptList.add({
          "iptIndex": i,
          "iptId": response[i]['id'],
          "iptName": response[i]['name']
        });
      }
      iptList.refresh();
    },
  );
}

How to query if the security rules is set?

UPDATED code

//create a function inside authController and called it inside the javascript
Future<String> getIdToken() async{
  return await FirebaseAuth.instance.currentUser!.getIdToken();
}

getIPTIdAndName() async {
  iptList.value = [];

  Uri url = Uri.parse('$urlString?auth=${await auth.getIdToken()}');

  await http.get(url).then(
    (value) {
      var response = json.decode(value.body) as List<dynamic>;
      for (var i = 0; i < response.length; i++) {
        iptList.add({
          "iptIndex": i,
          "iptId": response[i]['id'],
          "iptName": response[i]['name']
        });
      }
      iptList.refresh();
    },
  );
}

//security rules
{
  "rules":{
    ".read" : "auth != null && auth.token.email_verified == true",
    ".write" : "auth != null && auth.token.admin == true"    
  }
}

Answer 1

If Firebase accepted the UID as a URL parameter that would be horribly insecure, as anyone could then pass your UID and gain access to your data.

Instead you should pass the ID token, which is an encoded version of the entire user data, that the Firebase servers can then decode and pass in the auth variable to your rules.

For more on this, see the documentation on authenticating requests to the REST API of the Firebase Realtime Database , specifically the section on authenticating with an ID token .