Using (deprecated) secret to access firebase realtime database -- REST API

Question

I have a simple Firebase realtime database, just PUT/GET. It all works. But security is confusing to me.

I want to make sure only my app (with authentication) uses the database. The gotcha is the ?auth=:

https://<firebase url>/samarkand/<userID>/appState.json?auth=

It might be relevant that I am using my own userID, not a Firebase id_token (which is huge). Is that a mistake?

What works for auth= is my Firebase database secret, but the page listing that says it is deprecated. I have tried using the access_token, id_token, serverAuthCode, authCode returned from the login.

My database rule is:

{
  "rules": {
    "samarkand": {
      "$uid": {
        // Allow only authenticated content owners
        ".read": "auth !== null",
        ".write": "auth !== null",
      }
    }
  }
}

I think the secret just overrides that security. What am I missing?

score 0 · Answer 1 · answered Oct 11 '22 at 03:22

0

A user's UID is not a valid value for the auth parameter of the REST API of the Firebase Realtime Database. That would actually be incredibly insecure, as anyone who'd know your UID could then request data with it (see Is auth.uid a shared secret?)

As the documentation on authentication calls to the REST API shows, you will have to either pass the ID token of a user who is signed in to Firebase Authentication, or the OAuth2 token of a collaborator on the project.

answered Oct 11 '22 at 03:22

Frank van Puffelen

565,676
79
828
807

I am not using any user's UID for the auth parameter. And the ID token does not work, and the OAuth2 token does not work. What works is the Firebase account secret, even though it is listed as deprecated. For clarification, the parameter is just a database path parameter, not for auth -- ie, an index into the database. And it is one-way encrypted. – dmarques42 Oct 11 '22 at 18:51
Here is the result if I used ?access_token= status: 401 response: { "error" : "Unauthorized request." } And with ?auth= status: 401 response: { "error" : "Permission denied" } – dmarques42 Oct 11 '22 at 19:02
Perhaps I have to do an extra step, https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key= – dmarques42 Oct 11 '22 at 19:43
" the ID token does not work, and the OAuth2 token does not work" Please edit your question to show what you tried for these. – Frank van Puffelen Oct 11 '22 at 20:38
OK, that worked. I used the identitytoolkit to exchange a Google id_token for a Firebase idToken, and that worked. – dmarques42 Oct 11 '22 at 20:43
Apparently I was using a Google login id_token which is different from the Firebase idToken. I had not realized they were different and had to exchange one for the other. The Oauth2 access_token was also from Google login. – dmarques42 Oct 12 '22 at 04:18

score 0 · Answer 2 · answered Oct 11 '22 at 20:45

I was able to get authentication to work by exchanging the Google id_token for the Firebase idToken with

https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=

Then, I could use the Firebase idToken in the original

https://<firebase url>/samarkand/<userID>/appState.json?auth=<FB_idToken>

Using (deprecated) secret to access firebase realtime database -- REST API

2 Answers2