4

I'm trying to insert a new record in a Firebase Cloud Firestore database via its REST API and curl.

Reading from the database is working as expected since the operation is public. Create operation is not listed in the database rules and it is performed only server side, but I'm unable to do it using only the project API KEY.

Take for example the following curl request:

curl --header "Content-Type: application/json" \
    --request POST \
    --data '{"fields":{"myField": {"stringValue": "test"}}}' \
    https://firestore.googleapis.com/v1/projects/**MY_PROJECT**/databases/\(default\)/documents/**MY_COLLECTION**?key=**MY_KEY**

The above request returns "403: Missing or insufficient permissions.". The provided api key is fetched from the Firebase project's settings -> Web API key.

Am I missing something or authentication via only API keys is not possible?

p.s. I forgot to mention that the API KEY is unrestricted in the GCP dashboard.

unknown1276
  • 43
  • 1
  • 5

1 Answers1

3

The Firestore REST API doesn't support passing API keys. You'll notice that in the documentation, there is no mention of a "key" parameter.

If you want to perform authenticated operations using the REST API, you'll have to follow the documentation on authentication and authorization. To summarize:

For authentication, the Cloud Firestore REST API accepts either a Firebase Authentication ID token or a Google Identity OAuth 2.0 token. The token you provide affects your request's authorization:

  • Use Firebase ID tokens to authenticate requests from your application's users. For these requests, Cloud Firestore uses Cloud Firestore Security Rules to determine if a request is authorized.

  • Use a Google Identity OAuth 2.0 token and a service account to authenticate requests from your application, such as requests for database administration. For these requests, Cloud Firestore uses Cloud Identity and Access Management (IAM) to determine if a request is authorized.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • But what then is this key used for? In additional if I try to pass a different query param (eg. `auth`), the response error is that no such param exist, but for `key` is silent. – unknown1276 Jul 14 '19 at 16:49
  • It's used in client app configuration. Most of the time you don't have to work with it directly. It doesn't grant special access to anything. – Doug Stevenson Jul 14 '19 at 17:01
  • Thanks. I've just recently started to use GCP but I've got confused since in the console the same api key is listed as "Server key (auto created by Firebase)" and I first thought that I could use it for server side authorization. I will check the OAuth 2 auhentication api then. – unknown1276 Jul 14 '19 at 17:13