2

I am using Firebase Token Generator to generate secure tokens in PHP:

const DEFAULT_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';

date_default_timezone_set('Europe/London');

try {
    $generator = new TokenGenerator(DEFAULT_SECRET);
    $token = $generator
        ->setOptions(array(
            'expires' => strtotime('now + 1 minute'),
            'debug' => true
        ))
        ->setData(array('uid' => 'exampleID'))
        ->create();
} catch (TokenException $e) {
    echo "Error: ".$e->getMessage();
}

$response = array(
   'token' => $token
);

echo json_encode($response);

On the client side I am using a JSON request to retrieve the token as a JSON object:

 $.getJSON('http://localhost/firebase/index.php', function(json) {
        var jwtToken = json.token;
        launchFirebase(jwtToken);
 });

  function launchFirebase(token) {
      var fb = new Firebase(FirebaseURL);

      fb.authWithCustomToken(token, function(error, authData) {
        if (error) {
          alert("There was an error posting your vote. Please try again later."); 
        } else {
          checkEmail();
        }
      });

      function checkEmail(){
        new Firebase(FirebaseURL)
          .orderByChild('email')
          .startAt(vote.email)
          .endAt(vote.email)
          .once('value', function(snap) {
             var result = snap.val();
             callback(result);
        });
      } 
  }

I can now read data from Firebase so this works fine. My security concern is that anyone can view the source code and go directly to the PHP script (http://localhost/firebase/index.php) to retrieve the token.

They could then view all the data via an API call like this: https://examplesite.firebaseio.com/.json?print=pretty&auth=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

What's the best practice to keep the PHP script secure?

Improve this question

1 Answer 1

Reset to default
0

I figured out that I needed to move the client logic inside my server side script so it is secure. I am now using Firebase PHP Client.

Inside my PHP script I have:

const DEFAULT_URL = 'https://examplesite.firebaseio.com/';
const DEFAULT_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
const DEFAULT_PATH = '/';

$firebase = new \Firebase\FirebaseLib(DEFAULT_URL, DEFAULT_TOKEN);

// --- reading the Firebase database ---
$database = $firebase->get(DEFAULT_PATH);

$searchString = $_GET["email"]; 

if (strpos($database,$searchString) !== false) {
    $response = array(
        'emailExists' => true
    );
} else {
    $response = array(
        'emailExists' => false
    );
}

echo json_encode($response);

And then on the client side I have:

findUser: function(email, callback){

  $.getJSON('https://PHP_LOCATION.com/index.php', {
    email: email
  }, function(json) {
        callback(json.emailExists);
  });

}

For info': the purpose of this script is to check whether or not an email address already exists in the Firebase database.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.