I am having trouble with reading Firebase custom token in my security rules; it was working fine previously, but idk why now, I am unable to read tokens and due to this, all of my security rules are not being false.
SECURITY RULES (sample):
match /TUTORS/{docID} {
allow read: if isSignedIn() && isTutor();
}
Now I always get false from isTutor function:
function isTutor() {
return request.auth.token.role == "tutor";
}
I am setting custom token like this using Firebase Admin SDK using this same service account. I am doing other operations as well which are successful.
const additionalClaims = {
role: "tutor",
};
const auth = admin.auth();
try {
await auth.setCustomUserClaims(uid, additionalClaims);
const customToken = await auth.createCustomToken(uid, additionalClaims);
return {
type: "success",
token: customToken,
};
} catch (error) {
console.error("Error creating custom token:", error);
return {
type: "error",
token: null,
};
}
I am getting the token as well like this:
“ey**”
This was working fine a few days back but i can’t figure out the reason why it is not working now. If i remove the roles checking func from security rules, the rules start to work, so i am pretty sure that issue lies in custom tokens.
also I did this:
const user = await admin.auth().getUser(uid);
console.log('User custom claims:', user.customClaims);
and got:
User custom claims:
{role: "tutor"}
- Verified custom claims are set (getUser(uid) shows { role: “tutor” }).
- Refreshed the ID token on the client using user.getIdToken(true).
- Simulated requests in Firestore Security Rules Simulator, but request.auth.token does not include role .