Home > Net >  Authenticate firebase real time database requests made from backend (without a user)
Authenticate firebase real time database requests made from backend (without a user)

Time:01-05

  • I am managing a project with a lot of firebase real time database and a lot of data
  • I also need very precise security feature like masking certains fields for certain user roles or masking data that contains field related to the user...etc

I know that I can handle that using firebase security rules but at that scale, it's not readable nor maintenable at all.

So I want to handle all those security features serverside and proxy all request to firebase, so I wonder what is the best way to authenticate requests made by my backend to firebase knowing that ideally, I will not grant any user any rights on any databases.

Actually, I have tried to use a single "admin" user and make a simple security rule on all my firebase models like "read|write": "auth.uid === MY_ADMIN_UID" but I wonder if there is a better solution.

Could you point me to the right direction please?

CodePudding user response:

I want to handle all those security features serverside and proxy all request to firebase, so I wonder what is the best way to authenticate requests made by my backend to firebase knowing that ideally, I will not grant any user any rights on any databases.

Classically, in the Firebase model, if you want to interact with a Firebase service (e.g the Realtime Database) from a server you will use the Admin SDK. By default the Admin SDK bypass all Security Rules and has full access to your data.

In other words, requests from the Firebase Admin SDK are not gated by Security Rules. So it means that you can protect your RTDB with Security Rules that denies any access (i.e. ".read": false, ".write": false) in such a way a malicious user knowing the RTDB URL cannot query it.

This also means that you are in charge of controlling who is calling your proxy server before querying the RTDB from it.


HOWEVER, with the Realtime Database you can Authenticate with the Admin SDK with limited privileges, which IMO perfectly corresponds to your requirement, i.e. "best way to authenticate requests made by my backend".

As explained in the doc (see link above), you "use a unique identifier in your Security Rules to represent your service".

You then "set up appropriate Security Rules which grant your service access to the resources it needs" by using a specific identifier. For example:

{
  "rules": {
    "public_resource": {
      ".read": true,
      ".write": true
    },
    "private_resource": {
      ".read": "auth.uid === 'my-service-worker'",  // <======
      ".write": false
    },
  }
}

And then, "on your server, when you initialize the Firebase app, you use the databaseAuthVariableOverride option to override the auth object used by your database rules. In this custom auth object, set the uid field to the identifier you used to represent your service in your Security Rules". See the examples for Java, Node.js, Python and Go in the doc.

Note that this still means that you are in charge of controlling who is calling your proxy server before querying the RTDB from it, but the Security Rules are less generic.

  • Related