Is there a way to make sure that a php-script containing a server key can only be run (and viewed) by a call from a specific originating server, in this case my firebase app server? How? .htaccess?
I have this php script, holding the server secret key, to generate a token, hosted on 'anotherwebserver' since firebaseserver doesn't run php server software.
<?php
include_once "FirebaseToken.php";
$uid = $_POST['uid'];
$level = $_POST['level'];
$tokenGen = new Services_FirebaseTokenGenerator("<secretkey>");
$token = $tokenGen->createToken(array("uid" => "custom:BAAJ"), array("admin" => False));
echo $token;
?>
The script is called by following javascript code on the firebaseserver, containing the full path to the php script file, visible for anyone interested in the secret key. The whole idea of using php to generate the token however was to avoid visibility of the secret key...
function createToken(user) {
$.post('https://anotherwebserver/fullpath/maketokenscript.php', {uid: user, level: 'docent'}).done(doneCallback).error(function(error){
alert("Create token mislukt: "+error);
});
};
function doneCallback(token) {
ref.authWithCustomToken(token, authHandler);
}