How can I secure Firebase Real-Time Database Rest API?

Question

Let me first explain the scenario:

1. Realtime Database looks like this:

{
  "Notifications": {
    "348199": 1, //Every change will increment one (1, 2, 3, 4, etc...)
    "737119": 1, //Every change will increment one (1, 2, 3, 4, etc...)
    "899173": 1  //Every change will increment one (1, 2, 3, 4, etc...)
  }
}

2. The client side (Android app):

Let's suppose the current user id is (348199) , I will create a listener that observes any change on this node (348199) , When the value is changed, I'll tell the user he has a new notification.

3. The server side (The API is written in PHP language):

Let's suppose someone sends a friend request to this user (348199) , First I'll add a notification inside the Notifications table that exists inside MySQL and after added successfully I'll change the value of (348199) in the Real-Time Database

4. The URL that will change the value (Patch request)

https://IHideIt-default-rtdb.firebaseio.com/Notifications.json

The question is:

I want to reject the write request inside Firebase Real-Time Database if was coming from a browser, postman, my android app, etc..., How can I secure the URL above? (I want only my API can write inside Firebase Real-Time Database)

Answer 1

You can reject write operations from client SDK using security rules . The Admin SDK can still read/write the database from server side. Try the following rules:

{
  "rules": { 
    "Notifications": {  
      "$uid": {
        ".write": "false",
        ".read": "auth.uid == $uid"
      }
    }
  } 
}

These rules will allow users to read their own notifications only (if you are using Firebase Auth) and not write the database.