When using Firebase's server API, you can provide additional databaseAuthVariableOverride section to limit access of the service account, as described in the docs. I wanted to use Pyrebase, as it's in python and supports using service accounts. However, if I log in using a service account there, it has full access to the database -- the validation rules before write are not checked (while I do want them to be checked).
So, there are two parts to this question:
- Is it possible to add support for
databaseAuthVariableOverride into Pyrebase at all? I see it uses Firebase REST API, and I don't know if that supports it, and where should I send that variable.
- I can work around this issue by not using the service account, but a normal email/password account set to a particular email, and add root read/write rules checking
auth.email === '<my-email> and/or auth.uid === '<my-account-uid>'. Question here is: is this equally secure as using a service account with limited access (as linked on the top)?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
