Why do Firebase Database security rules not apply to an Authenticated REST API?

Question

I am using Firebase Database and have set one security rule for testing

".write":false

Reads are always true.

Now when I write anything with the client side SDK inside an android app, the write is denied everywhere in the database as expected.

However, when I use an authenticated REST API patch request to write anything anywhere, it always succeeds.

The token is generated as follows:

       //googleCredAhmedabad and scopedAhmedabad are GoogleCredential objects

       InputStream is = getServletContext().getResourceAsStream("/WEB-INF/firebaseauth/myserviceaccountfile.json");

        googleCredAhmedabad = GoogleCredential.fromStream(is);

        scopedAhmedabad = googleCredAhmedabad.createScoped(
                Arrays.asList(
                        "https://www.googleapis.com/auth/firebase.database",
                        "https://www.googleapis.com/auth/userinfo.email"
                        )
                );

        scopedAhmedabad.refreshToken();

        String myToken = scopedAhmedabad.getAccessToken();

Does an (credential is generated with enough scopes using service-account) authenticated REST API call trump security rules?

Answer 1

It is mentioned on the Firebase Documentation:

The auth request parameter allows access to data protected by Firebase Realtime Database Rules, and is supported by all request types. The argument can either be our Firebase app secret or an authentication token, which we'll cover in the user authorization section.

And I see you've mentioned that you're using an authenticated REST API, so I'm assuming you do have the auth parameter set. Which means you're right: the security rules do not apply to authenticated REST APIs.