Firebase Rest API simple token authentication

Question

I want to save my application's stats to Firebase using their Restful API.

And because this can't be public (both writing and reading the stats), I have to use Firebase authentication.

The simplest way I thought is to have a STATS_WRITE_TOKEN and a STATS_READ_TOKEN, and use them in the "Security Rules" tab in Firebase.

So, what should my Security Rules look like?

-- The tokens can be generated using the "Secrets" tab in Firebase.

score 0 · Answer 1 · answered Feb 02 '14 at 18:59

If you're going to use your secret, then security rules are bypassed, so there is no need to include any permissions. You can simply restrict access to the rest of the world:

{
  "rules": { ".read": false, ".write": false }
}

If you want to restrict your app a bit more, and avoid passing your secret in the REST URL, you can generate a token for your app, give it no expiration date, and add some value into the token you can reference in security rules (e.g. isMyApp: true):

{
   "rules": {
      ".read": false,
      ".write": false,
      "stats": {
         ".read": true, // allow world to read?
         ".write": "auth.isMyApp === true" // but only my app can write
      }
   }
}

Note that this is outdated for the current SDK. See http://stackoverflow.com/questions/37426093/using-custom-tokens-to-make-rest-requests-to-fb-db-as-an-admin — Kato, Dec 19 '16 at 18:16

Firebase Rest API simple token authentication

1 Answers1