The BigQuiz app uses Firebase for keep track of the question, category and game scores of individual players. In JSON web tokens I showed an example of how to authenticate and authorize when making a call to the Firebase JSON API. This is now built in to goa so that an App that needs multiple OAUTH2 authorizations (as BigQuiz app does) can use the same library and technique for everything.
Goa library is available with this key.
Try the App here.
There are multiple ways to authorize Firebase requests to the Firebase JSON API, the easiest of which is using JSON web tokens (JWT). This post covers how to make JWT using goa. All that's needed is to append each request with the ?auth=jwt parameter, where jwt is a JSON web token made from an api key and the uid of who is accessing and generated and managed by goa. A future post will go into the more complex OAuth2 method using Goa.
Firebase security is controlled through rules. This app dashboard entry shows that I am the only person allowed to access this database, and than I am allowed to both read and write.
To be able to use JWT, you can use Firebase custom Login & Auth to setup a Firebase secret.
You'll find this under Secrets
Each request to the Firebase JSON API take a JWT made up from this secret, plus an object that describes who is accessing - which will be validated against the Security and Rules entry we looked at earlier. In my case, this object looks like this, with the uid matching the one set up in the Security and Rules entry.
The third thing that's required for database access is the root of the Firebase database, which in my case is
Just as in all Goa authorization setups, you need a one off function that can be deleted after running. Mine looks like this.
You'll need to change the packagename to whatever you want to refer by this to, the root to your database, the uid to the accessor and the clientSecret to your firebase secret. You can also change the property store from the script property store if for example, you want to use different credentials for different users. Although this method is not using OAuth2, this would follow the same approach as described in Using OAuth2 when published as 'user accessing the webapp'. However it's more likely you'll be using the scriptproperties if you are using JWT for authorization.
If you are using my cFireBase library (more on this in a subsequent post), then this is all that's required. Just change the package name and the properties service to the ones you've used.
Subsequent accesses to firebase are simply made as in these examples
If you are not using the cFireBase library, you can extract the auth parameter from goa like this
If you are not using the cGoa library, cFirebase also has a built in JWT generator. You can use it like this, passing your database root, the auth rules, and your client secret.
For more like this, see Google Apps Scripts snippets. Why not join our forum, follow the blog or follow me on twitter to ensure you get updates when they are available.
Services > Desktop Liberation - the definitive resource for Google Apps Script and Microsoft Office automation > Complete Apps Script Applications > BigQuiz app >