0

I want to be able to read and write to the firebase realtime database only from my server, using only REST calls and no modules.

I tried looking into https://firebase.google.com/docs/database/rest/auth but a crucial step is using the googleapis module to generate the key needed, which requires installing a module. I tried looking at https://firebase.google.com/docs/reference/rest/auth/ to see how to do that itself using unit REST calls, but that are using the web api key in the settings, which is not the same as the secret key file, so I have no idea how to use service keys.

As an alternative I thought that in the rules I can somehow limit read and write access only to a certain url, such as "mysite.com/?secretKey", but even just entering the "request" variable gives an error.

So:

How can I limit read and write access of a firebase realtime database to only my server, using unit REST requests and no modules at all?

Edit

 this is not a duplicate. There's a difference between a url and a domain. Anyone can fake requests from a specific domain if they simply navigate to it. If one uses a unique url with a secret code in the search parameter then not anyone can do so. Second "duplicate" is marked as duplicate with answer that deals with domain, not url. Last answer doesn't address ONLY REST api. 

Yackov L
  • 11
  • 1
  • 1
    Maybe you can create a user in Firebase Auth and use security rules ti only allow that user to read/write to DB. You'll just need a token that you can get from Firebase Auth REST APIl. – Dharmaraj Oct 31 '22 at 12:41
  • In addition to the answer I linked, also have a look at Firebase App Check, as that nowadays allows you to lock down access to requests coming from a specific domain/app: https://firebase.google.com/docs/app-check – Frank van Puffelen Oct 31 '22 at 14:27
  • 1
    @frank this is not a duplicate. There's a difference between a url and a domain. Anyone can fake requests from a specific domain if they simply navigate to it. If one uses a unique url with a secret code in the search parameter then not anyone can do so. Second "duplicate" is marked as duplicate with answer that deals with domain, not url. Last answer doesn't address ONLY REST api. – Yackov L Oct 31 '22 at 21:26
  • 1
    There is no way to pass a custom parameter to the REST request and have that either validated by the database server or your database's security rules. App Check allows you to enforce requests from a specific domain, but won't work on REST calls (last I checked). The only alternative is to use security rules, but only the auth ID token, the path that is access, and (for writes) the data that is written are passed from the request to the security rules. So what you can do is: 1) encode the secret in the path of the data, 2) pass the secret in the auth token, 3 pass the secret in the data. – Frank van Puffelen Nov 01 '22 at 00:42
  • For an example of passing the secret in the path, see https://stackoverflow.com/questions/65993204/firebase-database-sending-payload-with-rest-request/65995490#65995490, https://stackoverflow.com/questions/50083815/how-do-i-authenticate-my-firebase-with-just-a-string-key/50087317#50087317 and https://stackoverflow.com/questions/61984824/firebase-realtime-database-rules-for-secret-url-sharing and – Frank van Puffelen Nov 01 '22 at 01:13

0 Answers0