Use Firestore Rules in Cloud Functions - firebase

When writing to the firestore in cloud functions we use the Admin SDK which has full read and write permissions on the firestore. But I dont wan't to implement complex user permission logic in my functions again so I would like to use the firestore rules when a user tries to write in the firestore through a Cloud Function. Is that possible?

There is no way to enforce the Firebase security rules while accessing Firestore through the Admin SDK. You could consider using the client-side Node SDK, although I haven't tried that myself.

Related

How do I authenticate Firebase functions/admin requests to Firestore

I was able to complete the process of generating a Firebase auth token on the front end, sending it to a Firebase Cloud Function, and using auth.verifyIdToken to decode it and pull out the user ID.
I want to use Cloud Firestore, but I have no idea how to use the user token/ID when making requests to Cloud Firestore from Firebase Functions. My goal is to then have those variables available when creating Cloud Firestore security rules.
a) Do I need to pass those variables in the Firestore request?
Example:
postsRef.where({uid //somehow?}, 'published', '==', true).get();
b) Should I use auth.setCustomUserClaims? Is that the only option when working from the Admin SDK?
c) What is different in usage between the ID and the decoded token? Should I pass both to Cloud Firestore? Is that even possible?
Let me know what you think, any info is helpful.
Thanks,
What you're trying to do is actually not possible. When you query Firestore from backend code using one of the server SDKs (including the Firebase Admin SDK), the query will always bypass all security rules. There is no way to change this behavior. Rules only apply to direct access from web and mobile clients.
What you'll have to do instead is duplicate the work of the rule in your backend code to make sure all the conditions are correct before making your query.

How do I account for Google Cloud Firestore security rules in Firebase Functions?

If I create a Firebase Function, I am able to freely read and write to my Firestore database using:
const admin = require('firebase-admin');
[...]
admin.firestore().collection("collection").add({"foo": "bar"});
While I see that the firebase-functions library provides a reference to firestore, I can't see in the documentation how this is used in a similar manner to add/update data with the constraints of security rules.
Is this the the class I should be using, or are there other means to adopt this security from within a Function?
Code that uses backend SDKs, such as Firebase Admin, or any of the Google Cloud SDKs, always bypass security rules. This includes code running in Cloud Functions, which is considered "backend". You can't use security security rule to limit their access. Security rules only apply to access from the client SDKs, used along with Firebase Authentication.

Which is the best way to perform CRUD operations on firestore using flutter?

Is it better to create cloud functions, that are called from within your flutter app, that perform operations(Create Read Update Delete) on your cloud firestore or is it better to just directly access your firestore using flutter without the intervention of any cloud function? What are the ideal situations that determine which method to use?
I think it depends on the documents that you are working with. As long as you specified the security rules for specific document paths and all the data is validated within the app and in the security rules, you should be fine to complete these operations from the app. It is also important to give access to only authenticated users, you can implement firebase_auth plugin for that.
You can check-out this video to understand the security rules
If you are performing anything else than CRUD, like managing notifications or dynamically changing the documents in the background - that's where you can get the most out of Cloud Functions. Firebase team also has great videos about it.

Pass user auth to Firestore from Cloud functions

So I'm trying to build an http endpoint using a Cloud function. This cloud function is only invoked after the user signs in. So I can pass the user token and verify it on the server side. I understand how to do this.
I also have security rules on my Firestore collections with authorization rules set up using request.auth.uid. This also just works if I use the firebase web sdk.
But my question is - how do I use the same authorization rules via cloud functions? I don't want to rewrite my auth logic separately for the http endpoint.
Security rules only apply to access from web and mobile SDKs. It does not apply to code using any of the server SDKs, including the Firebase Admin SDK and anything you would use with Cloud Functions. You will have to apply your own logic to check the validity of data before it's added to Firestore. The same is true for Realtime Database and Cloud Storage security rules.
As you use the admin sdk in your functions, the check for the auth looks a bit different. Just watch this video from The Net Ninja. He is explaining how to do this. Just use the generated token instead what’s been used in the video.

Is there a way to write database rules through Firestore's REST API

I want to initialize a Firestore database with a script and so I would like to write to the database rules through a REST API rather than manually.
There is a REST API to edit Firebase Realtime Database security rules. There is also a REST API to interface with Firestore in general. However, I have not found a REST API to edit Cloud Firestore database security rules.
The best way is probably to use the firebase-tools node module, which you may already know from using it as the Firebase CLI.
By signing in with login:ci, you can then call various commands from within your CI system, including deploying your Firestore security rules by running or calling firebase deploy --only firestore:rules.

Resources