0

Let's say that I have a Firebase project name and an API key but I don't know the structure of the database. How can I query all database data using REST API?

For more specifically, I'm messing around with a mobile game called Dynamons World and it looks like they use Firebase to store data for PvP matches. I found Firebase URL and API key stored in apk file. They left it there so I thought it wouldn't be a problem if I tried opening it and seeing what was inside.

I tried querying the data using:

GET https://dynamons-3-1cdf5.firebaseio.com/.json?key=AIzaSyAJfk_Feo4__C-oNz0eZ8lQmyF7rwYhnjk

But it returns "Permission denied", I tried looking for Refs that I can access in the decompiled code of the game but I can't seem to find them.

How can I query the database, or at least know what Refs I can retrieve ??

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
ShikamaruBH
  • 13
  • 4
  • 2
    Permission denied errors show up when your security rules don't allow the operation. Can you edit your question and share your security rules? Also Firestore is a totally different database. Please use tags that are relevant to you questions. – Dharmaraj Dec 31 '22 at 09:34
  • Please edit your question and add the information Dharmaraj asked for, and please also respond using @. – Alex Mamo Dec 31 '22 at 09:35

1 Answers1

0

The REST API of the Firebase Realtime Database is documented here.

Given the error you get it seems that the developer implemented security rules on their server, so even when calling the API with their configuration data, you can only do what those rules allow. There is no way for you (or us) to know what those rules are, which is part of the security mechanism. Also see: Is it safe to expose Firebase apiKey to the public?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807