FirebaseDB secured connection?

Thanks a lot TIM.

I'm not capable to folow your explanation for setting a listener on a protected node of the database (my only programming skills are using AppInventor blocks).

On the other side, I've been playing arround for months with writing authenticated requests to FireBase RealTime DataBase using HTTP REST (Thanks a lot for your explanation. This one I understand and can follow).

But I found it unreliable, because had a lot of random errors (both when writing messages from app to server through the data base, and when erasing the messages, to clean the database node.

It's probable I'm doing something wrong.
I send my blocks attached, in case you can do me a favour and can take a look at them.

You appear to have an infinite loop of setting a value in firebase, then deleting, or trying to delete....

Please explain what you are looking to achieve.

Thanks Tim.
Iā€™ll try to explain my best (sorry, it will be long):

The idea is that the app sends a message to a certain server.
App writes the message at the project's FireBase Real Time Data Base, at /UID/node/.
The server (currently it's also implemented as another AppInventor app running on a tablet) has Administrator privileges and has a listener set up on this node, so it receives the message.

Once enough time is allowed for the message to be received by the server (some hundred milliseconds), the app cleans the message from DB.
The reason to delete the messages this way, is that the server would be to busy to take care of that (because there will be too many apps accessing a single server).

Everything was working fine with the standard Fire Base App Inventor blocks.

But every day I received an email from FireBase, warning that current rules allow that anyone could read or write on the database. So I tried to secure the data base.

In order to protect the communication between apps and server from possible pirates, I tried that only authenticated apps could write messages to server. So I set up some rules on FirebaseDB:

"$uid" : {
".write" : "$uid === auth.uid",
"node" : {
".read" : false,

Now, writing on /UID/node/ was prevented, unless app has previously authenticated at FBAuth (I do this using the Gustavo Arango's extension).
Upon authenticating, an IdToken is received by the app, which includes the UID.
This UID, is the same of the path /UID/node/.

When I tried to secure the database, I discovered that the standard AppInventor FireBase blocks doesn't allow to write authenticated requests. So I had to redesign the whole communications part of the app, to write http REST authenticated requests instead.
With the help of your explanations I achieved to send them. And the receipt of those messages by server succeeded most of the times, but not always.
Randomly (let's say once every 7 times) I got an 1103 error reply from FireBase to the app (and, of course, this message was missing and was never received by the server).

I also had problemns deleting the messages:
FB always returned a 200 answer.
But I could see from FireBase console, that some times the message was still there on the data base.

I couldn't find the reason, nor solve the issue. So I surrendered.

I had to think of different FB rules (more relaxed and less secure), and come back to using the standard FB App Inventor blocks, that work so fine, and never fail.

1 Like

??? what is this ? Mirxtrem Apps ?

Yes. Exactly

Are you worried about someone hacking your FB DB or are you just annoyed with the constant warnings?
There is an alternate solution if you are worried about hacking and your current rules setup but you have to get another extension - Carlos Pedrosa's Addon extension - it allows you to place the FB URL into a code block (using obscured text block of course) - in that way, you can hide your URL.

Only if you use the firebase component and mirextrem's extension. If you use the Firebase REST api and the web component, then no [paid] extension is required.