Firebase Cloud Firestore REST api authentication with only WEB API key?

3
votes

I'm trying to insert a new record in a Firebase Cloud Firestore database via its REST API and curl.

Reading from the database is working as expected since the operation is public. Create operation is not listed in the database rules and it is performed only server side, but I'm unable to do it using only the project API KEY.

Take for example the following curl request:

curl --header "Content-Type: application/json" \
    --request POST \
    --data '{"fields":{"myField": {"stringValue": "test"}}}' \
    https://firestore.googleapis.com/v1/projects/**MY_PROJECT**/databases/\(default\)/documents/**MY_COLLECTION**?key=**MY_KEY**

The above request returns "403: Missing or insufficient permissions.". The provided api key is fetched from the Firebase project's settings -> Web API key.

Am I missing something or authentication via only API keys is not possible?

p.s. I forgot to mention that the API KEY is unrestricted in the GCP dashboard.

1
firebaserestcurlgoogle-cloud-firestore

1 Answers

1
votes

The Firestore REST API doesn't support passing API keys. You'll notice that in the documentation, there is no mention of a "key" parameter.

If you want to perform authenticated operations using the REST API, you'll have to follow the documentation on authentication and authorization. To summarize:

For authentication, the Cloud Firestore REST API accepts either a Firebase Authentication ID token or a Google Identity OAuth 2.0 token. The token you provide affects your request's authorization:

  • Use Firebase ID tokens to authenticate requests from your application's users. For these requests, Cloud Firestore uses Cloud Firestore Security Rules to determine if a request is authorized.

  • Use a Google Identity OAuth 2.0 token and a service account to authenticate requests from your application, such as requests for database administration. For these requests, Cloud Firestore uses Cloud Identity and Access Management (IAM) to determine if a request is authorized.