I was able to complete the process of generating a Firebase auth token on the front end, sending it to a Firebase Cloud Function, and using auth.verifyIdToken to decode it and pull out the user ID.
I want to use Cloud Firestore, but I have no idea how to use the user token/ID when making requests to Cloud Firestore from Firebase Functions. My goal is to then have those variables available when creating Cloud Firestore security rules.
a) Do I need to pass those variables in the Firestore request?
Example:
postsRef.where({uid //somehow?}, 'published', '==', true).get();
b) Should I use auth.setCustomUserClaims? Is that the only option when working from the Admin SDK?
c) What is different in usage between the ID and the decoded token? Should I pass both to Cloud Firestore? Is that even possible?
Let me know what you think, any info is helpful.
Thanks,
What you're trying to do is actually not possible. When you query Firestore from backend code using one of the server SDKs (including the Firebase Admin SDK), the query will always bypass all security rules. There is no way to change this behavior. Rules only apply to direct access from web and mobile clients.
What you'll have to do instead is duplicate the work of the rule in your backend code to make sure all the conditions are correct before making your query.
Related
I have a flutter app and use firebase auth and firestore. The data in firestore is only read and written from within the app.
I just realized, that every authorized user can access his data in firestore via the REST apis, if he has a correct auth token (e.g. from the AUTH rest api) and the API_KEY. As I understand, the API_KEY is not private.
So, even if I set up my security rules correctly, so that a user can only read and write his data, he could still access and change the data via the REST API. This could break my data model, as the data has to be structured in a special way.
Is there any way to allow access to firestore only from within the app and block it from REST calls?
Why are firebase API keys default unrestricted?
Should I limit the key to be used only by the Android APP like described here?
You should be validating the data requests within Security Rules to ensure that your data structure is being adhered to in all cases.
https://firebase.google.com/docs/rules/data-validation
as for the Rest API, it is not possible to outwardly block or deny it as it is built into GCP's core as part of the public API, however, you may be interested in App Check which can deny requests from outside your Android/iOS/Web app
https://firebase.google.com/docs/app-check
it's in early Beta and can help with unsolicited abuse to the mentioned platforms.
I am looking to use the https.onCall to accept some input from a user (such as data about another user). I'd then like to do some advanced processing on that data including retrieving sensitive data from other entries on my firestore that should not be exposed. Depending on the outcome of that analysis, I will update other locations in the database. However, I am concerned about the security of the original call and its source. I know that I have the context parameter on the onCall to verify the source was logged in, but I'd like to apply security rules to the final write based on the context.auth provided to the cloud function.
The security rules are straight forward for normal database operations but not if I'm doing an operation (seeded by a normal user) routed through the Admin SDK.
Thoughts?
but I'd like to apply security rules to the final write based on the context.auth provided to the cloud function
As you are aware that you can identify which user made a call to functions as well as that Admin SDK has super-access to database, the general flow should be to write functions in a way that they only edit documents that should be editable by the user.
If you had still like to narrow down access, you can do that for firebase database by passing databaseAuthVariableOverride when initializing admin app.
Read more on authenticating with limited privileges
When you use the admin SDK, or any of the server SDKs, it always bypasses all security rules. Rules only apply to access coming directly from web and mobile clients using the client SDKs.
If you need to apply some sort or restricts to data written from your backend, you will need to code that into the logic of your backend code. Security rules will be of no help.
I recently developed with the implementation of firestore and firestore security rules.
Certain authenticated users can grab data if they are created by them, was one of the feature of the app.
i.e,
A creates X
B creates Y
A can't access Y and B can't access X.
This is ensured using security rules.
I deployed the app with cloud functions, and this acts as an api.
Simulating the security rules passes without failure, but when called the api for accessing via tool like postman,
A can access Y and X
and B can access X and Y.
I read this stack overflow question that talks about overwriting the security rule if used by firebase-admin sdk, which is what I am using.
But i am just curious, is there any other ways to restrict outside api tools to fetch data like this?
Here is the link
All access to Firebase and Cloud products (Realtime Database, Cloud Firestore, Cloud Functions) coming from any backend SDK will bypass security rules entirely. This includes the Firebase Admin SDK and any other Cloud SDKs. Security rules only apply to web and mobile client access.
YES, It Will
I enabled the following rule!
still, I was able to fetch data with
help of cloud function via Created API
/* The following code blocks whole database access*/
match /databases/{database}/documents{
match /{document=**}{
allow read, write:if false;
}}
So I'm trying to build an http endpoint using a Cloud function. This cloud function is only invoked after the user signs in. So I can pass the user token and verify it on the server side. I understand how to do this.
I also have security rules on my Firestore collections with authorization rules set up using request.auth.uid. This also just works if I use the firebase web sdk.
But my question is - how do I use the same authorization rules via cloud functions? I don't want to rewrite my auth logic separately for the http endpoint.
Security rules only apply to access from web and mobile SDKs. It does not apply to code using any of the server SDKs, including the Firebase Admin SDK and anything you would use with Cloud Functions. You will have to apply your own logic to check the validity of data before it's added to Firestore. The same is true for Realtime Database and Cloud Storage security rules.
As you use the admin sdk in your functions, the check for the auth looks a bit different. Just watch this video from The Net Ninja. He is explaining how to do this. Just use the generated token instead what’s been used in the video.
I need to check a document's data in Firestore to allow someone to view an image in Firebase Storage. Is this possible?
It is currently not possible to access Cloud Firestore documents directly from Cloud Storage rules. You have two options:
Somehow use Firebase Authentication custom claims on the user account to determine if a user should be able to access a file.
Use some backend code (maybe a Cloud Functions HTTP trigger) that the user accesses to download the file if the conditions are met.
In either case, you will need some backend code that checks and sets the appropriate data.