Firebase 通过 REST API PHP CURL 获取数据
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14073328/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Firebase GET data via REST API PHP CURL
提问by user857276
Trying to do a simple read via PHP cURL. I can read my data successfully if my security rules let everyone in e.g.
尝试通过 PHP cURL 进行简单的读取。如果我的安全规则允许每个人进入,我就可以成功读取我的数据,例如
{
"rules": {
".read": true,
".write": true
}
}
However if I restrict read/write to a specific username e.g.
但是,如果我将读/写限制为特定的用户名,例如
{
"rules": {
".read": "auth.username == 'admin'",
".write": "auth.username == 'admin'"
}
}
I get permission denied.
我得到许可被拒绝。
The code is as follows...
代码如下...
require('JWT.php');
$secret = 'MY_FIREBASE_SECRET';
$data = array('username' => 'admin');
$token = JWT::encode($data, $secret);
$url = "https://MY_FIREBASE.firebaseio.com/messages.json?auth=$token";
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $url
));
$response = curl_exec($curl);
Its worth noting, if I just use my FB secret instead of a token in the URL I am able to successfully read the data (auth=$secret). I have also successfully tested reading the data in the Forge simulator using "custom auth" e.g. {'username': 'admin'}
值得注意的是,如果我只是在 URL 中使用我的 FB 秘密而不是令牌,我能够成功读取数据(auth=$secret)。我还成功地测试了使用“自定义身份验证”读取 Forge 模拟器中的数据,例如 {'username': 'admin'}
I'm using the PHP JWT library: https://github.com/luciferous/jwt/blob/master/JWT.php
我正在使用 PHP JWT 库:https: //github.com/luciferous/jwt/blob/master/JWT.php
Not sure if I'm getting permission denied because my cURL call is not correct or I'm not constructing the token properly. I have tried using POST and GET via cURL but I'm getting the same result.
不确定我是否因为我的 cURL 调用不正确或我没有正确构建令牌而被拒绝许可。我曾尝试通过 cURL 使用 POST 和 GET,但得到了相同的结果。
Any suggestions would be much appreciated...
我们欢迎所有的建议...
Thanks for the super quick response Andrew. I tried your suggestion. Unfortunately, I'm still getting 'permission denied'. Here is my updated code...
感谢安德鲁的超级快速反应。我试过你的建议。不幸的是,我仍然收到“权限被拒绝”的消息。这是我更新的代码...
require('JWT.php');
$secret = 'my-secret';
$user = array( 'v' => 0, 'iat' => time(), 'd' => array('username' => 'admin', 'type' => 'admin', 'fullname' => 'Administrator'));
$token = JWT::encode($user, $secret);
$curl = curl_init();
$url = "https://myfirebase.firebaseio.com/messages.json?auth=$token";
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $url
));
$response = curl_exec($curl);
curl_close($curl);
- I did get this working by changing the .read rule for our data to
"auth != null" - but that doesn't seem to quite as secure...
- 我确实通过将数据的 .read 规则更改为“auth != null”来实现这一点——但这似乎不太安全......
For reference our data structure is simply
作为参考,我们的数据结构很简单
+ myfirebase
+ messages
- 000001 = "this is the 1st test message"
- 000002 = "this is the 2nd test message"
BTW: Our application will only have 1 user reading/writing data. If I can not get the token to work... Is there a better way to authenticate calls via the REST API without resorting to passing our secret key in the URL? e.g. &auth='my-secret'
顺便说一句:我们的应用程序将只有 1 个用户读/写数据。如果我无法使令牌工作......是否有更好的方法来通过 REST API 验证调用,而无需在 URL 中传递我们的密钥?例如 &auth='my-secret'
回答by Andrew Lee
The Firebase JWT has some structure to it that is missing here. There's a detailed explanation of what should be in these auth tokens here: https://www.firebase.com/docs/security/jwt-auth-token-format.html
Firebase JWT 有一些这里缺少的结构。此处详细说明了这些身份验证令牌中应包含的内容:https: //www.firebase.com/docs/security/jwt-auth-token-format.html
Here is a snippet with the appropriate structure.
这是具有适当结构的片段。
require_once('JWT.php');
$fbSecret = 'your-secret';
$user = array( 'v' => 0, 'iat' => <timestamp>,
'd' => array('username' => 'jimbob', 'type' => 'admin',\
'fullname' => 'Jim Bob')
);
$token = JWT::encode($user, $fbSecret);
Note that the "d" field contains the actual payload. "v", and "iat" are also required. "iat" should be the number of seconds since the epoch (it's the number that (new Date()).getTime() returns in Javascript).
请注意,“d”字段包含实际有效负载。“v”和“iat”也是必需的。“iat”应该是自纪元以来的秒数(它是 (new Date()).getTime() 在 Javascript 中返回的数字)。
