The BigQuiz app uses Firebase for keep track of the question, category and game scores of individual players. In JSON web tokens I showed an example of how to authenticate and authorize when making a call to the Firebase JSON API. This is now built in to goa so that an App that needs multiple OAUTH2authorizations (as BigQuiz app does) can use the same library and technique for everything.
Goa library is available with this key
MZx5DzNPsYjVyZaR67xXJQai_d-phDA33
Try the App here.
Firebase authentication
There are multiple ways to authorize Firebase requests to the Firebase JSON API, the easiest of which is using JSON web tokens (JWT). This post covers how to make JWT using goa. All that’s needed is to append each request with the ?auth=jwt parameter, where jwt is a JSON web token made from an api key and the uid of who is accessing and generated and managed by goa. A future post will go into the more complex OAuth2 method using Goa.
Security and rules
Firebase security is controlled through rules. This app dashboard entry shows that I am the only person allowed to access this database, and than I am allowed to both read and write.
Firebase secret
To be able to use JWT, you can use Firebase custom Login & Auth to setup a Firebase secret.
You’ll find this under Secrets
Each request to the Firebase JSON API take a JWT made up from this secret, plus an object that describes who is accessing – which will be validated against the Security and Rules entry we looked at earlier. In my case, this object looks like this, with the uid matching the one set up in the Security and Rules entry.
{ uid:"bruce" }
Database root
The third thing that’s required for database access is the root of the Firebase database, which in my case is
https://bigquiz.firebaseio.com/'
Setting up Goa
Just as in all Goa authorization setups, you need a one off function that can be deleted after running. Mine looks like this.
cGoa.GoaApp.setPackage (PropertiesService.getScriptProperties() , {
packageName: Demo.PACKAGE_PLAY.name,
data:{
uid:"bruce"
},
clientSecret:'axxxxxxxxxxxxxxxxxh',
root:'https://bigquiz.firebaseio.com/',
service:'firebase'
});
You’ll need to change the packagename to whatever you want to refer by this to, the root to your database, the uid to the accessor and the clientSecret to your firebase secret. You can also change the property store from the script property store if for example, you want to use different credentials for different users. Although this method is not using OAuth2, this would follow the same approach as described in Using OAuth2 when published as ‘user accessing the webapp’. However it’s more likely you’ll be using the scriptproperties if you are using JWT for authorization.
Using the jwt
If you are using my cFireBase library (more on this in a subsequent post), then this is all that’s required. Just change the package name and the properties service to the ones you’ve used.
// make a goa and get a firebase handle
var goa = cGoa.make (Demo.PACKAGE_PLAY.name,Demo.PACKAGE_PLAY.props);
// use this handle for everything
var handle = new cFireBase.FireBase().setAuthData (goa);
Subsequent accesses to firebase are simply made as in these examples
var result = handle.get(dataPath);
var result = handle.post(data,dataPath);
var result = handle.post(data,dataPath);
If you are not using the cFireBase library, you can extract the auth parameter from goa like this
// make a goa and get a firebase handle
var goa = cGoa.make
(Demo.PACKAGE_PLAY.name,Demo.PACKAGE_PLAY.props);
// use in your request
var result = UrlFetchApp (goa.getProperty ("root") + dataPath + '.json' + '?auth=' + goa.getToken(), options);
If you are not using the cGoa library, cFirebase also has a built in JWT generator. You can use it like this, passing your database root, the auth rules, and your client secret.
var handle = new cFireBase
.FireBase()
.generateJWT('https://bigquiz.firebaseio.com/',{uid:"bruce"},'aK.....h0h');
Subpages
- Big quiz score reports
- BigQuery and the Execution API
- Configurable circular timer with D3
- Example of clock using d3 configurable timer
- Firebase JSON REST access library for Apps Script
- Quick doughnut and pie charts with a radial timer
- Sharing code between client and server and using libraries with html service
- Using the People API with Apps Script