I'm using Firebase's Anonymous Sign-in Authentication and Real Time database SDK in my gaming project. Player's are identifed with the User ID and this User ID is never exposed to the client. Also this UserID is sent to the firebase RTDB to update player's information. In order to secure the writing permission of the users, I set some security rules to my database using auth variable. I have security rules similar to this :

{ "my_db_path": {
".write" : "auth != null && $user_id == auth.uid" } }

However in the Firebase Auth documentation, it is recomended to authenticate user with token ID. After a little bit of research of this token usage, I understand that I have to verify this token with using Firebase Admin SDK , and then use this verified User ID to authenticate users in the backend. My question is that, is it necessary to verify tokenID even if I have security rules that already checks client's UserID with auth's UserID?

I already try to setup Firebase Admin SDK to my Unity Project, but I had some problems with the nuget packages. So I wonder, do I really need to validate token and use Firebase Admin SDK in my unity project?

CodePudding user response：

Firebase security rules automatically verify the token provided by the client SDK. The user's UID is then available in the rules as auth.uid. There is no need to use the Admin SDK in security rules, and it's not even possible to do so.

You only need the Admin SDK if you are providing a custom backend for your app and need to verify that the user making a request to is has been authenticated. The Admin SDK is not for use in client application code, only backend.