How can I configure Firebase Security Rules to only allow writes from a CURL/PHP source?

StackOverflow https://stackoverflow.com/questions/21213489

  •  29-09-2022
  •  | 
  •  

Pregunta

I want to create a security rule in Firebase to only allow a PHP script (via a CURL request) to write to a location.

I can read/write to Firebase using a PHP script when the security rules allow anyone with authentication to read/write by appending .json?auth=MYAPPTOKEN to the URL.

I am also able to include/exclude users using Simple Login from reading/writing to locations, so I think I have a basic handle on the security rules syntax/operation.

Now, I want to have a location in Firebase that is only writeable from my PHP file.

Security rules that I've tried: 

".write":"auth.secret == "MYTOKEN",
".write":"auth == "MYTOKEN",
".write":"auth.token == "MYTOKEN",

On the other side, I've tried modifying the .json?auth= in the request. Here's what I've tried:

$auth = array("token" => "MYTOKEN");
$auth = json_encode($auth);

Second Attempt:

$auth = json_encode("MYTOKEN");

And then replacing the .json?auth=MYTOKEN with .json?auth=$auth

So, how do I allow only that script to write to a location?

Thanks guys.

¿Fue útil?

Solución

The basic principle is to only give your PHP script auth credentials that allow write, which I think you've basically captured.

If MYTOKEN represents your Firebase secret (you probably shouldn't use this) then security rules are bypassed, because this token sets admin: true internally.

Thus, you can just set your security rules to ".read": false, ".write": false, which will prevent access to anyone not using an admin token.

If you have generating the token yourself, (which you probably should in this case) then you simply need to add a variable into the token, such as isMyPhpScript: true, that you can reference from your security rules.

You can simulate tokens with no expiry by using a date many years into the future, so it works just like your secret, but still allows you to apply security restrictions:

var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);
var veryFarInFuture = Date.now() + 8e+14;
var token = tokenGenerator.createToken({ isMyPhpScript: true }, { expires: veryFarInFuture });

Now in your rules you can write things like this:

".read": "auth.isMyPhpScript === true"

If you want to create a custom token quickly without writing a script, you can use this fiddle I created for my own tinkering.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top