16

Thanks to this answer I am able to connect to Firebase 3 via HTTP REST API and an email/password. Logging in with this API returns an access token that is used to access the Firebase Database. This access token expires after 1 hour. A refresh token is also returned after logging in, which I can use to refresh my access token. Here is what I am doing specifically:

Method:

POST

URL:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=<my-firebase-api-key>

Payload:

{
    email: "<email>",
    password: "<password>",
    returnSecureToken: true
}

Response:

{
    "kind": "identitytoolkit#VerifyPasswordResponse",
    "localId": "<firebase-user-id>", // Use this to uniquely identify users
    "email": "<email>",
    "displayName": "",
    "idToken": "<provider-id-token>", // Use this as the auth token in database requests
    "registered": true,
    "refreshToken": "<refresh-token>",
    "expiresIn": "3600"
}

In the case of refreshing my access token:

URL: 

https://securetoken.googleapis.com/v1/token?key=<my-firebase-api-key>

Payload:

{
    grant_type: "refresh_token",
    refresh_token: "<refresh-token>"
}

Response:

{
  "access_token": "<access-token>",
  "expires_in": "3600",
  "token_type": "Bearer",
  "refresh_token": "<refresh-token>",
  "id_token": "<id-token>",
  "user_id": "<user-id>",
  "project_id": "<project-id>"
}

How do I access my database via HTTP REST API given that I have my access token?

Community
  • 1
  • 1
Rontron
  • 3,963
  • 7
  • 26
  • 44
  • 1
    check this out [https://firebase.google.com/docs/reference/rest/database#section-param-auth](https://firebase.google.com/docs/reference/rest/database#section-param-auth) they have mention in the docs. – AjayShelar Nov 11 '19 at 06:58

1 Answers1

17

So after communicating with technical support, here's my answer:

In your database rules, include something like this that is compatible with what you're doing:

{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid",
".read": "$user_id === auth.uid"
}
    }
  } 
}

And in your database, create a users table, and within that, create a table with the name of your <user-id> of the authentication email/password account you are using. Within that table is the information you will be able to access via your access-key.

Then send a request like this:

https://samplechat.firebaseio-demo.com/users/<user-id>.json?auth=<access-key>

Where access-key is the key that can be known as idToken, id_Token, or access_key in JSON responses from Google.

Rontron
  • 3,963
  • 7
  • 26
  • 44
  • 8
    This is the best answer I got. Firebase document is so messy and confusing! They don't even talk about idToken anywhere in REST docs. Such a shame. Thanks so much for this. – Richeek Jun 08 '17 at 10:32
  • 1
    Hi, I am trying to allow some json files to be publicly available and others not. I was doing this `{"rules": {"publicjson": {".read": true, ".write": false}, ".read": "auth != null", ".write": false}}`. I have no problems accessing the `publicjson`. However, I cannot access any other json that falls under the `".read": "auth != null"` rule. I am trying on postman to do a `GET` request with the `Authorization: Bearer xxx` but no luck. Do you know anything about this? The idea would be just having the access key stored in the app and used in the requests. No user table needed. Thanks – Edison Spencer Jun 19 '17 at 20:22
  • @Richeek Do you know anything of what I asked above? ^^^ Thanks – Edison Spencer Jun 19 '17 at 21:16
  • 1
    @EdisonSpencer if you just want to have a kind of admin user, then what you need to do is 1. create an admin user from firebase console (using some email & password combination) 2. Note its UID and change your read permission as auth.uid=='' 3. From your client side using email and password creds to login to firebase. Note if you are using REST for login then your login url is of the form (https://www.googleapis.com/identitytoolkit/v3/relyingparty/setAccountInfo?key=[API_KEY]). May be its better to create a separate question so that others can leverage as well! – Richeek Jun 20 '17 at 06:46
  • @Richeek Thanks for the tip about the user created in order to get its token. I didn't want to have the need to create any kind of user. I just wanted to host some information on Firebase and make it publicly available as long as you have a token in order to make GET requests to those JSONs. Otherwise it would be unauthorised. But I think I can create a user and ship it's token with the app(?) – Edison Spencer Jun 20 '17 at 17:14
  • I guess technically, you will ship that user with the app and have your app login with that user's creds. – Richeek Jun 21 '17 at 05:01
  • Hi @Richeek, only today I saw your answer because you didn't mention me. Basically I found out this documentation (https://firebase.google.com/docs/database/rest/retrieve-data) which proved useful. By appending `?auth=database-secret`, I was able to get the content of the JSON I want. Even though I later realised if I write the rule `".read": false`, instead of `".read": "auth != null"`, I am still able to access the content. But that will be another fight I guess. Thanks – Edison Spencer Jun 22 '17 at 22:15