Authenticating servers using Firebase app secret

Question

I want to implement the server authentication method described here in paragraph 1.

1. Using a Firebase app secret: All authentication methods can accept a Firebase app secret instead of a JWT token. This will grant the server complete read and write access to the entire Firebase database. This access will never expire unless it is revoked via the App Dashboard.

I need direction how to do this. I don't want to use any auth variable as I will not be authenticating users but, rather, my server via some single, static secret key.

So what would my security rules look like?

Here is what I have so far.

security-rules.json

{
  "rules": {
    ".read": true,
    ".write": "secret == 'mykey'"
  }
}

And how would I implement this in my server-side HTTP request? Would I create a header called secret with value mykey like this:

server.js

{"secret": "mykey"}

Answer 1

To use the secret in a HTTP request, you pass it in the auth parameter of the URL. E.g.

curl 'https://yours.firebaseio.com/.json?auth=<your_secret>'

When you use your secret to authenticate with Firebase, the resulting session is running as an administrator. It has full read/write access to the entire Firebase database, just like you have when you access the Firebase dashboard. So you don't need to grant any permissions in the security rules.

If you want to be able to detect the server, you should use a custom token instead of your secret. When you create a custom token, you determine exactly what goes into the auth variable. E.g.

{
  "uid": "myserver"
}

Now you can check for that specific uid in your security rules:

{
  "rules": {
    ".read": true,
    ".write": "auth.uid = 'myserver'"
  }
}

You can mint a custom token using this jsfiddle: http://jsfiddle.net/firebase/XDXu5/

Answer 2

Firebase secret is deprecated. So I recommend you not to use this.