Is there a way to write database rules through Firestore's REST API - firebase

I want to initialize a Firestore database with a script and so I would like to write to the database rules through a REST API rather than manually.
There is a REST API to edit Firebase Realtime Database security rules. There is also a REST API to interface with Firestore in general. However, I have not found a REST API to edit Cloud Firestore database security rules.

The best way is probably to use the firebase-tools node module, which you may already know from using it as the Firebase CLI.
By signing in with login:ci, you can then call various commands from within your CI system, including deploying your Firestore security rules by running or calling firebase deploy --only firestore:rules.

Related

Use Firestore Rules in Cloud Functions

When writing to the firestore in cloud functions we use the Admin SDK which has full read and write permissions on the firestore. But I dont wan't to implement complex user permission logic in my functions again so I would like to use the firestore rules when a user tries to write in the firestore through a Cloud Function. Is that possible?
There is no way to enforce the Firebase security rules while accessing Firestore through the Admin SDK. You could consider using the client-side Node SDK, although I haven't tried that myself.

How do I account for Google Cloud Firestore security rules in Firebase Functions?

If I create a Firebase Function, I am able to freely read and write to my Firestore database using:
const admin = require('firebase-admin');
[...]
admin.firestore().collection("collection").add({"foo": "bar"});
While I see that the firebase-functions library provides a reference to firestore, I can't see in the documentation how this is used in a similar manner to add/update data with the constraints of security rules.
Is this the the class I should be using, or are there other means to adopt this security from within a Function?
Code that uses backend SDKs, such as Firebase Admin, or any of the Google Cloud SDKs, always bypass security rules. This includes code running in Cloud Functions, which is considered "backend". You can't use security security rule to limit their access. Security rules only apply to access from the client SDKs, used along with Firebase Authentication.

Why are Cloud Functions not stopped from writing when using Security rules in Firestore?

I'm using Cloud Firestore as my back-end. I'm using rules so only authenticated users can read some data (private data) and none of them can write. I have also created a function that is triggered when some new content is added to the database. However, when the function is triggered, I'm able to write data even if the rules as set to false.
How to stop that from happening?
Actually when you access to Firestore via a Cloud Function (using the Firebase Admin SDK) none of the security rules apply.
The following documentation https://firebase.google.com/docs/admin/setup explicitly indicates that for the Relatime Database:
The Admin SDK lets you interact with Firebase from privileged
environments to perform actions like Read and write Realtime Database
data with full admin privileges.
but it is the same with Firestore.
There is also a note in this Firestore "Get Started" documentation https://firebase.google.com/docs/firestore/security/get-started:
Note: The server client libraries bypass all Cloud Firestore Security
Rules...
As said above, this not only applies to the Admin SDK but also applies to the other server SDKs, because you use these server SDKs from what Firebase calls "a privileged environment", like your own server (under your control) or Cloud Functions (under your control too, since you are the only one able to deploy Cloud Functions code). See also What is a "trusted server environment" in Firebase?
If you want to restrict the write access for your Cloud Function, you will need to develop a specific business logic, in your Cloud Function, to mimic your security rules.

Connect to Firebase buckets

I have a backend in golang and was wondering how I can connect to Firebase storage to create/delete buckets and add/delete files. Can I use the Admin sdk. I found the client storage lib in golang for google cloud storage. Can I use that? And whats the difference between firebase storage and google cloud storage?
The app I'm working on connects to Firebase Storage Buckets via the Admin SDK, but we're using Firebase Functions in Node.js. However, it looks like the Admin SDK in Go offers the same Storage access, and it's documented (with example code in Go) here:
https://firebase.google.com/docs/storage/admin/start
I like using Admin in Firebase, because you don't have to worry about project configuration and authentication to the various services. Firebase storage is google cloud storage, but with a nice wrapper and well-integrated into other aspects of your Firebase project. You get some limitations as a trade-off for all of that convenience, but unless you run into a feature of Google Cloud that you absolutely need and doesn't exist in Firebase, I'd stick with the Firebase (and Admin) version.

How to switch from Datastore to Firestore in existing project?

I have an existing Google Cloud project which uses Datastore. I'm excited by Firestore and would like to switch. According to https://www.youtube.com/watch?v=SYG-BgXoJFQ it is recommended to create a new project.
Is it possible to just nuke Datastore somehow (I don't care about the data) and start from scratch with Firestore?
If not, what are the implications of creating a new project?
If there is no data written to Cloud datastore, it's possible to convert from datastore to firestore with the following steps. I tried on 2 projects and each project took 3 minutes. The user should be the project owner to attempt:
Disable Cloud datastore API
Disable Cloud Firestore API
gcloud firestore databases create --region=us-central --project $PROJECT_ID
I have another project that has little datastore entities. I deleted them and executed the steps, but received the following error. While disabling datastore API, I read Disable Cloud Datastore API? If any resources were created by Cloud Datastore API, they may be deleted soon after Cloud Datastore API is disabled. All code that uses this project's credentials to call Cloud Datastore API will fail.
ERROR: (gcloud.firestore.databases.create) Error Response: [9] The
"database_type" field cannot be modified for this application. Note:
If data has already been written for this application, then the
"database_type" may not be modified.
The solution is to contact Google cloud support to convert from Datastore to Firestore. You need to make sure no entities exist and nothing is creating any entities.
In the case where no Datastore entities have been written, the operation should succeed:
Success! Selected Google Cloud Firestore Native database for $PROJECT_ID
It is not possible to switch from Datastore to Firestore within the same project as yet, but you may operate Firestore in Datastore mode. By creating a Cloud Firestore database in Datastore mode, you can access Cloud Firestore's improved storage layer while keeping Cloud Datastore system behavior. You may find more information of relevance by reading the "Automatic Upgrade to Cloud Firestore" documentation page.

Resources