-1

I am not sure where I pass my auth uid token when I am making a request to firebase.

I've tried:

[myfirebaseurl]/path/1234.json?auth=[uid that i set].

Along with putting the UID in headers, content, and authorization. I am currently testing on reqbin before I put this into my application.

Basically, is it a url parameter, header, or where should I pass a UID that i set in the firebase rules tab?

Thanks for any help!

Asleepious
  • 95
  • 5
Luxxe
  • 11
  • 7

1 Answers1

0

It looks like you're trying to authenticate with an ID token. The ID token is not the same thing as the UID, it would be too easy to access someone else's account if all you needed was their UID.

You need to retrieve an ID token and use that where you are currently using the UID.

Asleepious
  • 95
  • 5
  • I am using a UID that I set within the rules. Here are my rules – Luxxe Oct 10 '21 at 18:53
  • { "rules": { "Whitelists": { ".read": "auth.uid == ‘secret'", ".write": "auth.uid == ‘secret'", "$uid" : { ".read": "$uid === auth.uid || auth.uid == ‘secret'", ".write": "auth.uid == Secret'" } } } } – Luxxe Oct 10 '21 at 18:55
  • I replaced the server UID with secret. – Luxxe Oct 10 '21 at 18:55
  • `auth.uid` and `?auth=id_token` are not the same, it's the UID of the authenticated user that submitted the request, as determined by the `?auth=id_token`. The way that you're trying to do things, if firebase worked that way, would present a massive security vulnerability. – Asleepious Oct 10 '21 at 19:23
  • So how do I get my application to only be able to see the person with the corresponding HWID to see. I set UID as their HWID – Luxxe Oct 10 '21 at 19:25
  • I would suggest posting a separate question about that, because it's a much more complex security question than what you asked here. You see, a web request is a web request, you can't easily determine that the HWID claimed by a request is the actual HWID of a device. It's the same reason that UIDs aren't used as authentication tokens. Those tokens change regularly to reduce the likelihood of an unauthenticated user being able to procure and use someone else's token (they'd have to do it on every refresh). If a malicious user were to acquire an authenticated HWID they could simply claim it. – Asleepious Oct 10 '21 at 19:32
  • I already have a system for that, it doesn’t need to be answered here. How do I access values in the database with the UIDs is my question – Luxxe Oct 10 '21 at 22:07
  • You need to retrieve an id token per the second link in my answer, then use that id token as the `?auth=` value instead of using a UID. `?auth=` is the security feature that you're looking for, you're just using it wrong. It does not rely on the users UID (as that would be very insecure) but rather on a temporary and rapidly-rotating authentication token that can be retrieved and refreshed periodically to ensure that the requester isn't just someone who knows the UID of the claimed account, but someone who has successfully authenticated recently. – Asleepious Oct 10 '21 at 22:50
  • 1
    This resource is very confusing to me. I am making a python application. How would I get a ID token that way? – Luxxe Oct 10 '21 at 23:12
  • Alright, added python to the tags. You can use the [email/password rest endpoint](https://firebase.google.com/docs/reference/rest/auth#section-sign-in-email-password) or the [OAuth rest endpoint](https://firebase.google.com/docs/reference/rest/auth#section-link-with-oauth-credential) to get a token, but I don't know how you'll be able to merge that with your HWID system. the HWID = UID pattern seems almost arbitrary. – Asleepious Oct 10 '21 at 23:34
  • 1
    I made an in-depth post about another clarification. It's fine if you can't or don't want to help anymore, though. https://stackoverflow.com/questions/69527867/firebase-is-saying-permission-denied – Luxxe Oct 11 '21 at 14:30