Firebase 通过 REST API PHP CURL 获取数据 [英] Firebase GET data via REST API PHP CURL

问题描述

尝试通过 PHP cURL 进行简单的读取.如果我的安全规则允许所有人进入，我就可以成功读取我的数据，例如

Trying to do a simple read via PHP cURL. I can read my data successfully if my security rules let everyone in e.g.

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

但是，如果我将读/写限制为特定的用户名，例如

However if I restrict read/write to a specific username e.g.

{
  "rules": {
    ".read": "auth.username == 'admin'",
    ".write": "auth.username == 'admin'"
  }
}

我的权限被拒绝.

代码如下...

require('JWT.php');
$secret = 'MY_FIREBASE_SECRET';
$data = array('username' => 'admin');
$token = JWT::encode($data, $secret);

$url = "https://MY_FIREBASE.firebaseio.com/messages.json?auth=$token";
$curl = curl_init();
curl_setopt_array($curl, array(
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_URL => $url
));
$response = curl_exec($curl);

<小时>

值得注意的是，如果我只是在 URL 中使用我的 FB 秘密而不是令牌，我能够成功读取数据 (auth=$secret).我还成功地测试了使用自定义身份验证"读取 Forge 模拟器中的数据，例如{'用户名':'管理员'}

---

Its worth noting, if I just use my FB secret instead of a token in the URL I am able to successfully read the data (auth=$secret). I have also successfully tested reading the data in the Forge simulator using "custom auth" e.g. {'username': 'admin'}

我正在使用 PHP JWT 库:https://github.com/luciferous/jwt/blob/master/JWT.php

I'm using the PHP JWT library: https://github.com/luciferous/jwt/blob/master/JWT.php

不确定我的权限是否被拒绝，因为我的 cURL 调用不正确，或者我没有正确构建令牌.我曾尝试通过 cURL 使用 POST 和 GET，但得到了相同的结果.

Not sure if I'm getting permission denied because my cURL call is not correct or I'm not constructing the token properly. I have tried using POST and GET via cURL but I'm getting the same result.

任何建议将不胜感激...

Any suggestions would be much appreciated...

感谢安德鲁的超级快速回复.我试过你的建议.不幸的是，我仍然收到权限被拒绝"的消息.这是我更新的代码...

Thanks for the super quick response Andrew. I tried your suggestion. Unfortunately, I'm still getting 'permission denied'. Here is my updated code...

require('JWT.php');
$secret = 'my-secret';
$user = array( 'v' => 0, 'iat' => time(), 'd' => array('username' => 'admin', 'type' => 'admin', 'fullname' => 'Administrator'));
$token = JWT::encode($user, $secret);
$curl = curl_init();
$url = "https://myfirebase.firebaseio.com/messages.json?auth=$token";
curl_setopt_array($curl, array(
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_URL => $url
));
$response = curl_exec($curl);
curl_close($curl);

• 我确实通过将数据的 .read 规则更改为auth != null" - 但这似乎不太安全......

  ---

作为参考，我们的数据结构很简单

For reference our data structure is simply

+ myfirebase
            + messages
                       - 000001 = "this is the 1st test message"
                       - 000002 = "this is the 2nd test message"

顺便说一句:我们的应用程序将只有 1 个用户读/写数据.如果我无法使令牌工作......是否有更好的方法来通过 REST API 验证调用，而无需在 URL 中传递我们的密钥?例如&auth='my-secret'

BTW: Our application will only have 1 user reading/writing data. If I can not get the token to work... Is there a better way to authenticate calls via the REST API without resorting to passing our secret key in the URL? e.g. &auth='my-secret'

推荐答案

Firebase JWT 有一些这里缺少的结构.此处详细说明了这些身份验证令牌中应包含的内容:https://www.firebase.com/docs/security/jwt-auth-token-format.html

The Firebase JWT has some structure to it that is missing here. There's a detailed explanation of what should be in these auth tokens here: https://www.firebase.com/docs/security/jwt-auth-token-format.html

这是一个具有适当结构的片段.

Here is a snippet with the appropriate structure.

require_once('JWT.php');

$fbSecret = 'your-secret';
$user = array( 'v' => 0, 'iat' => <timestamp>, 
  'd' => array('username' => 'jimbob', 'type' => 'admin',\
    'fullname' => 'Jim Bob')
  );
$token = JWT::encode($user, $fbSecret);

请注意，d"字段包含实际负载.v"和iat"也是必需的.iat"应该是自纪元以来的秒数(它是 (new Date()).getTime() 在 Javascript 中返回的数字).

Note that the "d" field contains the actual payload. "v", and "iat" are also required. "iat" should be the number of seconds since the epoch (it's the number that (new Date()).getTime() returns in Javascript).

这篇关于Firebase 通过 REST API PHP CURL 获取数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！