If I create a Firebase Function, I am able to freely read and write to my Firestore database using:
const admin = require('firebase-admin');
[...]
admin.firestore().collection("collection").add({"foo": "bar"});
While I see that the firebase-functions library provides a reference to firestore, I can't see in the documentation how this is used in a similar manner to add/update data with the constraints of security rules.
Is this the the class I should be using, or are there other means to adopt this security from within a Function?
Code that uses backend SDKs, such as Firebase Admin, or any of the Google Cloud SDKs, always bypass security rules. This includes code running in Cloud Functions, which is considered "backend". You can't use security security rule to limit their access. Security rules only apply to access from the client SDKs, used along with Firebase Authentication.
Related
When writing to the firestore in cloud functions we use the Admin SDK which has full read and write permissions on the firestore. But I dont wan't to implement complex user permission logic in my functions again so I would like to use the firestore rules when a user tries to write in the firestore through a Cloud Function. Is that possible?
There is no way to enforce the Firebase security rules while accessing Firestore through the Admin SDK. You could consider using the client-side Node SDK, although I haven't tried that myself.
I recently developed with the implementation of firestore and firestore security rules.
Certain authenticated users can grab data if they are created by them, was one of the feature of the app.
i.e,
A creates X
B creates Y
A can't access Y and B can't access X.
This is ensured using security rules.
I deployed the app with cloud functions, and this acts as an api.
Simulating the security rules passes without failure, but when called the api for accessing via tool like postman,
A can access Y and X
and B can access X and Y.
I read this stack overflow question that talks about overwriting the security rule if used by firebase-admin sdk, which is what I am using.
But i am just curious, is there any other ways to restrict outside api tools to fetch data like this?
Here is the link
All access to Firebase and Cloud products (Realtime Database, Cloud Firestore, Cloud Functions) coming from any backend SDK will bypass security rules entirely. This includes the Firebase Admin SDK and any other Cloud SDKs. Security rules only apply to web and mobile client access.
YES, It Will
I enabled the following rule!
still, I was able to fetch data with
help of cloud function via Created API
/* The following code blocks whole database access*/
match /databases/{database}/documents{
match /{document=**}{
allow read, write:if false;
}}
So I'm trying to build an http endpoint using a Cloud function. This cloud function is only invoked after the user signs in. So I can pass the user token and verify it on the server side. I understand how to do this.
I also have security rules on my Firestore collections with authorization rules set up using request.auth.uid. This also just works if I use the firebase web sdk.
But my question is - how do I use the same authorization rules via cloud functions? I don't want to rewrite my auth logic separately for the http endpoint.
Security rules only apply to access from web and mobile SDKs. It does not apply to code using any of the server SDKs, including the Firebase Admin SDK and anything you would use with Cloud Functions. You will have to apply your own logic to check the validity of data before it's added to Firestore. The same is true for Realtime Database and Cloud Storage security rules.
As you use the admin sdk in your functions, the check for the auth looks a bit different. Just watch this video from The Net Ninja. He is explaining how to do this. Just use the generated token instead what’s been used in the video.
I want to initialize a Firestore database with a script and so I would like to write to the database rules through a REST API rather than manually.
There is a REST API to edit Firebase Realtime Database security rules. There is also a REST API to interface with Firestore in general. However, I have not found a REST API to edit Cloud Firestore database security rules.
The best way is probably to use the firebase-tools node module, which you may already know from using it as the Firebase CLI.
By signing in with login:ci, you can then call various commands from within your CI system, including deploying your Firestore security rules by running or calling firebase deploy --only firestore:rules.
I'm using Cloud Firestore as my back-end. I'm using rules so only authenticated users can read some data (private data) and none of them can write. I have also created a function that is triggered when some new content is added to the database. However, when the function is triggered, I'm able to write data even if the rules as set to false.
How to stop that from happening?
Actually when you access to Firestore via a Cloud Function (using the Firebase Admin SDK) none of the security rules apply.
The following documentation https://firebase.google.com/docs/admin/setup explicitly indicates that for the Relatime Database:
The Admin SDK lets you interact with Firebase from privileged
environments to perform actions like Read and write Realtime Database
data with full admin privileges.
but it is the same with Firestore.
There is also a note in this Firestore "Get Started" documentation https://firebase.google.com/docs/firestore/security/get-started:
Note: The server client libraries bypass all Cloud Firestore Security
Rules...
As said above, this not only applies to the Admin SDK but also applies to the other server SDKs, because you use these server SDKs from what Firebase calls "a privileged environment", like your own server (under your control) or Cloud Functions (under your control too, since you are the only one able to deploy Cloud Functions code). See also What is a "trusted server environment" in Firebase?
If you want to restrict the write access for your Cloud Function, you will need to develop a specific business logic, in your Cloud Function, to mimic your security rules.