Firebase server side auth with HTTP POST request using the firebase secret

Question

According to the firebase documentation, Firebase accepts all REST API types for authentication.

REST API - Firebase authentication In other words, PUT/POST/GET requests can all be used in a HTTP Request to authenticate authorization. This is the example code:

curl \
https://SampleChat.firebaseIO-demo.com/users/jack/name.json?auth=CREDENTIAL

The Firebase documentation also states:

The argument can either be your Firebase Secret or an authentication token

The POST request I'm sending is configured like this:

var Credential = "{\"auth:\", \"zXRLa7lybhJ21ZYqpXuqkT6YAYyySAGJ10lXInKy\"}";

https://MyFirebaseName.firebaseio.com/.json?auth="+Credential

So, I want to use a POST request, with my Firebase Secret for server authentication. My Security rule is:

{
    "rules": {
        ".read": true,
        ".write": "auth == 'zXRLa7lybhJ21ZYqpXuqkT6YAYyySAGJ10lXInKy'"
    }
}

I'm getting an error returned from firebase that states:

Invalid argument: "https://MyFirebaseName.firebaseio.com/.json?auth="zXRLa7lybhJ21ZYqpXuqkT6YAYyySAGJ10lXInKy"

It seems like the POST request is actually getting through to Firebase, and Firebase is reading the data. It's just that the argument isn't configured correctly. I've tried everything I can think of. I'm not sure how the CREDENTIALS are supposed to be configured, and I can't find anything about it. Maybe it should be something like:

{"auth": "The Secret Here"} 

I just tried that, and it won't accept it.

I've also tried using:

{
    "rules": {
        ".read": true,
        ".write": "auth !== null"
    }
}

In the hopes that no matter what I sent in the REST API would be accepted, but that didn't work.

What am I doing wrong? I've gone over the documentation many times, searched here, searched a Google group. I can't figure it out. I need to know the format, and the syntax for how the POST data gets sent in the CREDENTIALS.

Answer 1

The URL cannot parse json. It's just a string of text. Simply include the token directly.

curl -X https://INSTANCE.firebaseio.com/users/jack.json?auth=zXRLa7lybhJ21ZYqpXuqkT6YAYyySAGJ10lXInKy  // not { auth: '...' }

When you use your firebase secret in the URL, security rules are not applied. The secret allows you full read/write access without regard to security rules or validation. So there is no need to read anything into your security rules.

When working with tokens, you do not refer to the security token itself. That is an encrypted json object and the contents are what are available in security rules.

To understand what is taking place here, you will want a rudimentary understanding of tokens. At a bare minimum, this requires reading the security quickstart from top to bottom, and the section about the auth variable from top to bottom.

In the auth variable section, you will find this example:

var token = tokenGenerator.createToken({"app_user_id": 1234, "isModerator": true });

Note that the contents of the token are app_user_id and isModerator. You can now refer to those two variables in security rules:

".read": "auth.isModerator === true"

You can also develop a better understanding of tokens by fiddling with them here; allows you to create and break down tokens to see what is inside of them, as well as validating them against your namespace to make sure they function.

Answer 2

Your rules just needs to have write set to false, like so:

{
    "rules": {
        ".read": true,
        ".write": false
    }
}

The "?auth=yourFireBaseSecret" in your curl request will allow your REST call to go through regardless of the rules. Any other requests will need to respect it and won't be able to write to your data.