0

I want to manage my Firebase database directly from postman or curl using Https Rest API. For example using postman and https://MY_FIREBASE_DATABSE_URL/users.json to return users json. If I set security rules for public access 

{
"rules": {
".read": true,
".write": true
}

it works fine.

But if I set security rules that need authorization

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

I get

{"error", "permission_denied" }

As far as I understand I need to append https request with auth=SECURITY_TOKEN. Using secret key from firebase console->Service Accounts for SECURITY_TOKEN doesn't work, but anyway it says there than database secrets are deprecated.

So I download a token generator for java referenced here https://www.firebase.com/docs/rest/guide/user-auth.html#section-rest-server-authentication.

I use the following code to generate my token 

    public void actionPerformed(ActionEvent e) {
    String uid = uidField.getText();
    boolean admin = adminField.isSelected();
    Map<String, Object> authPayload = new HashMap<String, Object>();
    authPayload.put("uid", uid);
    authPayload.put("some", "arbitrary");
    authPayload.put("data", "here");

    TokenOptions tokenOptions = new TokenOptions();
    tokenOptions.setAdmin(admin);

    TokenGenerator tokenGenerator = new TokenGenerator(<MY_DATABASE_SECRET>);
    String token = tokenGenerator.createToken(authPayload, tokenOptions);
    System.out.println(token);
    tokenField.setText(token);
}

as mentioned here

where MY_DATABASE_SECRET is the secret key from firebase console mentioned above and uid is a user id from my Firebase users. Using this token to postman I still get permission denied.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Andreas Oikonomou
  • 3,257
  • 2
  • 13
  • 13
  • The documentation you refer to is for the legacy version of Firebase. Your project was likely created on the new Firebase console. You cannot mix and match versions. For how to authenticate REST calls with the new version of Firebase, see this answer: http://stackoverflow.com/a/37444914/209103 by fellow Firebaser Michael Bleigh. – Frank van Puffelen Jan 24 '17 at 11:30
  • What I don't understand in that post (and I cannot comment there) is what is meant by " you need to directly use a Service Account to create administrative access " and if I need node.js for it or I can do it with Java and how. – Andreas Oikonomou Jan 24 '17 at 12:02

1 Answers1

0

Finally, after reading thoroughly the firebase documentation I figured it out. What I need to use as a security token for REST API is a firebase security token id that I can get after I have signed in to firebase with another application (ios, android, web) for example for Android with the following code

    FirebaseUser mUser = FirebaseAuth.getInstance().getCurrentUser();
    mUser.getToken(true)
    .addOnCompleteListener(new OnCompleteListener<GetTokenResult>() {
        public void onComplete(@NonNull Task<GetTokenResult> task) {
            if (task.isSuccessful()) {
                String idToken = task.getResult().getToken();
                // Send token to your backend via HTTPS
                // ...
            } else {
                // Handle error -> task.getException();
            }
        }
    });

This is the token I need to set to auth argument of query string.

For complete reference look here

Andreas Oikonomou
  • 3,257
  • 2
  • 13
  • 13