How to make Firebase Functions act as a user instead of being an admin?

Asked 5/9, 2018 at 2:55 Answered 3/10, 2020 at 15:28

node.js firebase google-cloud-firestore google-cloud-functions firebase-admin

My client app is accessing to Firestore through API created by Firebase Functions. However, the Firebase Functions imports firebase-admin which bypass all the defined security rule. Is there any way I can make my HTTP triggers Function to act as a specific user (for example, by passing an access token from client to server), so that the Functions works under influence of Firebase Functions as well.

Blackandwhite answered 5/9, 2018 at 2:55 Comment(0)

There is currently no way to do this. The Firestore SDK for node doesn't have a way of scoping its access to the database as a particular authenticated user.

Note that this is different than the Realtime Database SDK, which does allow you to scope to a uid.

Voyage answered 5/9, 2018 at 2:58 Comment(8)

Since I'm using admin SDK. So, the SDK basically can access any node. Even I structured my DB scoped with uid, I don't think I can control the access. Of course, I could control manually checking logic in Firebase Functions, but I wonder if I could achieve it in DB level. Any clue? – Blackandwhite 6/9, 2018 at 0:39

What do you mean by "in DB level"? As I said, if you're using the Admin SDK, you don't have an option to control access. – Voyage 6/9, 2018 at 1:5

What I meant is if there is a way I can query the database on behalf of user so that the request is processed as if it was called by the client app (even if it runs in Firebase Functions) without using firebase-admin. – Blackandwhite 6/9, 2018 at 5:58

As my answer says, this is not currently possible with Firestore. – Voyage 6/9, 2018 at 6:0

Isn't it possible by using request.resource.data.keys() in Firestore rules? I am considering to add a collection to store the list of authorized users and check if the record exists with the keys(). Any opinion on this? – Blackandwhite 6/9, 2018 at 8:16

I don't see how that would help you restrict access to anything per user. – Voyage 6/9, 2018 at 16:21

I submitted a feature request to Firebase to allow the admin sdk to take an optional firebase auth token from the client and make a firestore request as if it was that user, so the security rules kick in. My use case is I want to run a GraphQL layer in Cloud Run that sits between firestore and a logged in web app client – Cox 17/5, 2019 at 0:3

Updates. Google seems to have no interest in supporting it: github.com/firebase/firebase-functions/issues/300 – Blackandwhite 19/5, 2020 at 14:20

I think it is possible to access Firestore via an admin-sdk but scope it to the logged-in user if you are use REST APIs to access Firestore.

For authentication, the Cloud Firestore REST API accepts either a Firebase Authentication ID token or a Google Identity OAuth 2.0 token. The token you provide affects your request's authorization:

Use Firebase ID tokens to authenticate requests from your application's users. For these requests, Cloud Firestore uses Cloud Firestore Security Rules to determine if a request is authorized.

Americaamerican answered 30/11, 2019 at 3:39 Comment(0)

-2

You can read the bearer token from req.headers and then verify it with admin.auth().verifyIdToken(token) see https://www.toptal.com/firebase/role-based-firebase-authentication

Stacistacia answered 3/10, 2020 at 15:28 Comment(0)

Recommended topics

Hot tags