Firebase database secrets

userappinventor · January 29, 2024, 7:22am

Database secrets are currently deprecated and use a legacy Firebase token generator. Update your source code with the Firebase Admin SDK.

I'm trying to save user-written data on firebase, following a lot of tutorials, but I found this message.

Does this message mean that using "database secrets" will cause security problems?
I'm also wondering if I can't release an app using "database secrets" on the Play Store.

I looked up the data and couldn't find a clear meaning for it. Please help. And if there is a solution, please let me know.

TIMAI2 · January 29, 2024, 7:55am

Ask yourself as to why you need to use database secrets? This shouldn't usually be required to store data on Firebase.

userappinventor · January 29, 2024, 8:02am

I use firebaseDB and it needs database secrets.

TIMAI2 · January 29, 2024, 8:27am

No, that is where you can put your project api key, although you do not have to.

Ramon · January 29, 2024, 8:39am

Check this out to see where you can get that token from your firebase project and, if you don't have it, how to generate one.

userappinventor · January 30, 2024, 3:46am

When I use FirebaseDB, it doesn't run with the API key(Alza~~~). I've already found something that doesn't run with the API key, and I've found a way to use the "data secrets".

userappinventor · January 30, 2024, 3:47am

I already have the APIkey.
When I use FirebaseDB, it doesn't run with the API key(Alza~~~). I've already found something that doesn't run with the API key, so I've found a way to use the "data secrets".

Ramon · January 30, 2024, 7:06am

The other thing you need to use firebase is the firebaseURL:

you can find it in:

userappinventor · January 30, 2024, 7:44am

Of course I tried it.

TIMAI2 · January 30, 2024, 8:22am

As already said, you do not need the API key or the database secrets token to connect the experimental Firebase component to the Firebase realtime database. You really would not want to use the Firebase secrets key because this would leave your data wide open.

Have you set any secure rules?

Here is an example:

userappinventor · January 30, 2024, 12:01pm

Yes. This is my firebase rules. The users can save or get only their own data.

{ "rules": {
"fomo": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}

userappinventor · January 30, 2024, 12:03pm

data secrets : works fine
the web api key : firebase permission denied

This is the problem.

TIMAI2 · January 30, 2024, 12:24pm

I see you are not using the experimental firebase component...

Read all this:

Firebase Web Component

then you will understand what to do.

In essence you use the authenticated user's idToken to provide access to the data, which means an authenticated user must sign in in order to return a valid idToken. There is also a refresh token mechanism which I have not covered in the guide above.

Using the database secret token is not recommended because this exposes your entire firebase!

Ramon · January 30, 2024, 1:09pm

See what @TIMAI2 has posted for you

You can see your authenticated users in " Authentication" menu of firebase, with their user UIDs.

If don't need the authentication you can use firebase component.

userappinventor · January 30, 2024, 1:32pm

Thank you for your continued response. The site you suggested is already in my bookmark, and I've read it dozens of times. It's one of the things I've tried but I failed to apply to my case.

I'm currently trying to use firebaseDB, as I did in the beginning.

This is how I want to do it. But when I apply this code, I get "permission denied." The weird thing is that there were times when I successfully uploaded data this way without any problems. It's weird that it's the same code, but it's a different result.

I'm still looking for help or relevant guides for my case.

TIMAI2 · January 30, 2024, 1:34pm

The experimental firebase component is not designed to (and will not) work with secure rules.

Use the web component, or there are a couple of extensions that also use the Firebase Realtime Database REST api.

userappinventor · January 30, 2024, 11:16pm

The experimental firebase component is not designed to (and will not) work with secure rules.

Where can I find that information? I didn't know that.
Can you tell me how to turn my list into a form for using web components? I've read and followed a lot of guides, but they all only provide short examples, so it doesn't work well in my case. How do I apply it if I already have a list form like myself?

TIMAI2 · January 30, 2024, 11:42pm

Some examples:

(no rules used to return this)

As you can hopefully see, the list data is stored in firebase as a firebase array, and this is then returned as a stringified json array to the app (use the jsontextDecode block to convert back to an ai2 list)

userappinventor · January 31, 2024, 1:39am

I tried based on what you told me.

Since idToken is applied to import values, it works well without permission denied. This method does not use data secrets, so it will be safer, right?

userappinventor · January 31, 2024, 10:39am

So far, other things work fine. Thanks to you, I learned something new. Thank you.