Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Run any DB request as a Firebase app's end-user

See original GitHub issue

Thanks for stopping by to let us know something could be better!

PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.

Is your feature request related to a problem? Please describe. Hi, security rules are amazing. Its too bad they only work for client side code. On Node.js (server side code), I have to roll my own security rules.

Describe the solution you’d like I should be able to run database request as the applications end user.

On the client-side, Firebase makes use of the app’s end-user’s JWT. That information is used to match against security rules. On the server-side, you should allow a user to pass their end-user’s JWT to Firestore. The JWT can then be processed, along with the resource, to check against security rules to ensure this app’s end user has read / write access to the resource. It’d be simple to do this. We just need one more argument, the end user’s JWT.

For example:

const Firestore = require('@google-cloud/firestore');

async function main( req, res ) {
    const firestore = new Firestore();
    const endUserJWT = req.jwt // given we have access to the end-user's JWT, which is by defintion a custom Firebase JWT , or the actual firebase JWT, then lets make a variable out of that

    const document = firestore.doc('posts/intro-to-firestore');
    console.log('Document created');
 
    // Enter new data into the document.
    await document.set({
      title: 'Welcome to Firestore',
      body: 'Hello World',
    }, endUserJWT );
    console.log('Entered new data into the document, accepted if UID is allowed to write, rejected otherwise');
 
    // Update an existing document.
    await document.update({
      body: 'My first Firestore app',
    }, endUserJWT );
    console.log('Updated an existing document, if this UID is allowed to update');
 
    // Read the document.
    let doc = await document.get( endUserJWT );
    console.log('Read the document, if the UID is allowed to read this resource');
 
    // Delete the document.
    await document.delete( endUserJWT );
    console.log('Deleted the document, if the UID is allowed to delete this resource');
 
};
 
main().catch(console.error);

This simple setup takes an optional second parameter, endUserJWT. The Firestore libabry can act as normal – if no JWT is provided, universal access is granted, if a JWT is passed, run the request against security rules.

Suddenly, security rules work on the client-side (thanks to JWT access) and server-side (thanks to JWT access), lol.

Describe alternatives you’ve considered I have to roll my own security rules, which is a hassle, but I’m doing this now. Its a no brainer to add this feature to radically simplify Firestore dev’s lives. Additional context Alt Text

Issue Analytics

  • State:open
  • Created 5 years ago
  • Reactions:7
  • Comments:9 (1 by maintainers)

github_iconTop GitHub Comments

7reactions
lookfirstcommented, Aug 14, 2019

I would love to be able to use the Admin SDK as a specific user on a per request basis.

3reactions
NawarAcommented, Jul 17, 2020

This is actually a really easy feature for the Firestore team to add.

As I mentioned earlier on this thread, to make this work, on the backend just allow dev’s to pass in the user’s JWT to the DB action.

let doc = await document.get( endUserJWT );

If endUserJWT is undefined, Firestore grants universal access (what we have today). If it is defined and the JWT is a valid client-side generated JWT that represents a user, then the Firestore checks its security rules to ensure the users is allowed to the do the action.

This feature is easy to add and maintain for the FS team (ie. its a very isolated service) and allows the firestore community to use security rules on the backend (which is important).

Read more comments on GitHub >

github_iconTop Results From Across the Web

Firebase Realtime Database
The Firebase Realtime Database can be accessed directly from a mobile device or web browser; there's no need for an application server. Security...
Read more >
Authenticating users | Cloud Run Documentation
For an end-to-end walkthrough of an application using this authentication technique, follow the end user authentication for Cloud Run tutorial.
Read more >
Firebase Realtime Database - Google Cloud Console
The Firebase Realtime Database can be accessed directly from a mobile device or web browser; there's no need for an application server. Security...
Read more >
Firebase - App success made simple - npm
Overview · Firebase Realtime Database - The Firebase Realtime Database lets you store and query user data, and makes it available between users ......
Read more >
How to protect firebase Cloud Function HTTP endpoint to ...
For apps that require user authentication, use HTTPS Callable Firebase Functions, then use the context parameter to save all the hassles.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Firestore operations not performed correctly

Next page

Firestore emulator auth connection issues