1

Let me first explain the scenario:

1. Realtime Database looks like this:

{
  "Notifications": {
    "348199": 1, //Every change will increment one (1, 2, 3, 4, etc...)
    "737119": 1, //Every change will increment one (1, 2, 3, 4, etc...)
    "899173": 1  //Every change will increment one (1, 2, 3, 4, etc...)
  }
}

2. The client side (Android app):

Let's suppose the current user id is (348199), I will create a listener that observes any change on this node (348199), When the value is changed, I'll tell the user he has a new notification.

3. The server side (The API is written in PHP language):

Let's suppose someone sends a friend request to this user (348199), First I'll add a notification inside the Notifications table that exists inside MySQL and after added successfully I'll change the value of (348199) in the Real-Time Database

4. The URL that will change the value (Patch request)

https://IHideIt-default-rtdb.firebaseio.com/Notifications.json

The question is:

I want to reject the write request inside Firebase Real-Time Database if was coming from a browser, postman, my android app, etc..., How can I secure the URL above? (I want only my API can write inside Firebase Real-Time Database)

Improve this question

1 Answer 1

Reset to default
1

You can reject write operations from client SDK using security rules. The Admin SDK can still read/write the database from server side. Try the following rules:

{
  "rules": { 
    "Notifications": {  
      "$uid": {
        ".write": "false",
        ".read": "auth.uid == $uid"
      }
    }
  } 
}

These rules will allow users to read their own notifications only (if you are using Firebase Auth) and not write the database.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Can I send a unique id to Real-Time Database and check if the unique id is equal A694268A43914F1EB556367D32F9484A, If equal then accept the write, Otherwise reject it. It looks like API Key
No one will know the API key except my API
@TahaSami it's not possible to pass custom parameters in your query unless it's part of the body for write operations. For read maybe you can restructure you database so that the key is part of your the path that your are querying. Checkout this answer.
I don't know why we can't pass the API key like any other API. Very weird

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.