I have a simple Firebase realtime database, just PUT/GET. It all works. But security is confusing to me.

I want to make sure only my app (with authentication) uses the database. The gotcha is the ?auth=:

https://<firebase url>/samarkand/<userID>/appState.json?auth=

It might be relevant that I am using my own userID, not a Firebase id_token (which is huge). Is that a mistake?

What works for auth= is my Firebase database secret, but the page listing that says it is deprecated. I have tried using the access_token, id_token, serverAuthCode, authCode returned from the login.

My database rule is:

{
  "rules": {
    "samarkand": {
      "$uid": {
        // Allow only authenticated content owners
        ".read": "auth !== null",
        ".write": "auth !== null",
      }
    }
  }
}

I think the secret just overrides that security. What am I missing?

CodePudding user response：

A user's UID is not a valid value for the auth parameter of the REST API of the Firebase Realtime Database. That would actually be incredibly insecure, as anyone who'd know your UID could then request data with it (see Is auth.uid a shared secret?)

As the documentation on authentication calls to the REST API shows, you will have to either pass the ID token of a user who is signed in to Firebase Authentication, or the OAuth2 token of a collaborator on the project.

CodePudding user response：

I was able to get authentication to work by exchanging the Google id_token for the Firebase idToken with

https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=

Then, I could use the Firebase idToken in the original

https://<firebase url>/samarkand/<userID>/appState.json?auth=<FB_idToken>