Access URL Parameters In Firebase RTDB Security Rules

0
votes

I want to read data from Firebase: 

firebase.database().ref('videos/' + $videoId + '/data' ).once('value')

But in security rules I don't want to make this readable by anyone. Aka I do not want to use:

".read" : true

I want non-authenticated users to be able to read data if they have a special token, that they pass in the url. 

firebase.database().ref('videos/' + $videoId + '/data?token=secretToken').once('value')

My video data looks like this:

{
vidoes: {
    $videoId: {

        data: {
            ...
        }
        tokens: {
            secretToken: true
        }

    }
}

I imagine security rules would look something like this:

{
vidoes: {
    $videoId: {
        data: {
            ".read": "data.parent().child('tokens/' + auth.urlQuery('token').val() ).exist()"
        }

    }
}

Is there anyone I can access query string/ url parameters in Firbase security rules? I could use Firebase functions to create an api, but that is an extra step and network request.

Essentially it would behave like a "token" for Firebase storage: 

https://firebasestorage.googleapis.com/v0/b/columbus-c4de8.appspot.com/o/richContent%2F1-min.jpeg_-LPgLxBMt1tBR0dDdNzH?alt=media&token=dfe24c92-e0c2-484a-81df-c09a710b3d34

If the token is correct, then user can read the data.

Note: It's technically possible to use tokens for ".write" security rules. See: Using newData on Updates in Firebase Security Rules

1
firebasefirebase-security

1 Answers

1
votes

This is not possible, and is also not inherently secure. Firebase security rules would not be secure if anyone had a simple password that let them access data. It's pretty easy to reverse engineer a mobile client to extra the password that allows the query.

If you want to grant access to a query to a user, the only secure way to do that is in tandem with Firebase Authentication, which validates the identity of the person performing the request.