Reputation: 33
How do I add an authentication system for cURL on Firebase?
I'm using Firebase to do a small project and while testing things I discovered I can do cURL requests from any server to my Firebase Database (tested on an online php tester), so I'm considering this is a security flaw for my project and I have been looking for a method to add some kind of password for cURL requests, but I found nothing, at least nothing I could understand. I know firebase have rules to manage who can read or write on my database, but I didnt find something that could filter requests by server or only allow requests that have an special password sent as parameter. So my question is if there is a way to do something like that I could use on my project so only cURL requests made for me would work.
Here it is one of my cURL requests, in case it helps for resolving my problem.
$url = "https://mydatabase.firebaseio.com/profile/messages/".$_COOKIE['cookiename'].".json";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
$data = json_decode($response, true);
Thanks in advance for helping me out.
UPDATE: I found this, I think it could be the thing I need, but Im missing the part where I tell the database to ask for the access token. https://firebase.google.com/docs/database/rest/auth
Upvotes: 3
Views: 3482
Answers (3)
Reputation: 61
it worked,
with one TestController:
get access_token using google/apiclient library in Laravel(php8),
This access_token works with any project in 1 firebase
https://github.com/linhdv96/cUrl-firebase-remote-config
Upvotes: 0
Reputation: 83153
One solution is to use the Firebase Auth REST API.
In particular, "you can sign in a user with an email and password by issuing an HTTP POST request to the Auth verifyPassword endpoint", see here.
Then you can use the user's uid in your Firebase security rules, in order to protect your database.
Upvotes: 2
Reputation: 317692
You should read and understand the documentation for the REST API. If you want to bypass security rules that would normally apply to web and mobile users, you will need to generate an OAuth token for a service account that has permissions to access your database, and use that in your requests.
If you don't want public access to your database, you will have to set up security rules to limit that. To stop all public access, your rules should be:
{
"rules": {
".read": false,
".write": false
}
}
Upvotes: 0
Related Questions
- How to Authenticate with Firebase realtime database using UID or Email and Password for REST API using postman
- Laravel Firebase authentication
- Firebase authentication with backend in android
- Firebase CREDENTIAL for rest API
- Firebase Auth JS/PHP
- Firebase Setup with PHP CURL
- How to post data to firebase using PHP?
- Firebase REST access using PHP with Authentication
- PHP: firebase identity authentication
- Firebase PHP CURL Authentication