When using Firebase's server API, you can provide additional databaseAuthVariableOverride section to limit access of the service account, as described in the docs. I wanted to use Pyrebase, as it's in python and supports using service accounts. However, if I log in using a service account there, it has full access to the database -- the validation rules before write are not checked (while I do want them to be checked).
So, there are two parts to this question:
- Is it possible to add support for
databaseAuthVariableOverrideinto Pyrebase at all? I see it uses Firebase REST API, and I don't know if that supports it, and where should I send that variable. - I can work around this issue by not using the service account, but a normal email/password account set to a particular email, and add root read/write rules checking
auth.email === '<my-email>and/orauth.uid === '<my-account-uid>'. Question here is: is this equally secure as using a service account with limited access (as linked on the top)?
