The basic principle is to only give your PHP script auth credentials that allow write, which I think you've basically captured.
If MYTOKEN represents your Firebase secret (you probably shouldn't use this) then security rules are bypassed, because this token sets admin: true internally.
Thus, you can just set your security rules to ".read": false, ".write": false
, which will prevent access to anyone not using an admin token.
If you have generating the token yourself, (which you probably should in this case) then you simply need to add a variable into the token, such as isMyPhpScript: true
, that you can reference from your security rules.
You can simulate tokens with no expiry by using a date many years into the future, so it works just like your secret, but still allows you to apply security restrictions:
var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);
var veryFarInFuture = Date.now() + 8e+14;
var token = tokenGenerator.createToken({ isMyPhpScript: true }, { expires: veryFarInFuture });
Now in your rules you can write things like this:
".read": "auth.isMyPhpScript === true"
If you want to create a custom token quickly without writing a script, you can use this fiddle I created for my own tinkering.