4

I am trying to figure out if it is possible to check auth object from client that called firebase https cloud function to achive following tasks:

1) Only allow authed users with verified email call https endpoint, otherwise return 403.

2) Somehow gain access to uid of client that called a function in order to set node like characters/:uid in database.

Reason for this is to disallow duplicate characters. I can manually pass uid in req.body, but this means that anyone could fiddle with this and create 100 different characters by sending any sort of uid as req.body payload.

Only work around I can think of for this is changing this logic to database triggers i.e. client writes to database void/characters/uid node (database rules do this whole validation) then function listens to this change in database, processes data and pushes it to characters/uid

But this means additional logic like removing node after it is done is needed, plus I am not sure how to send back error or success response back to client, as with https functions we can just res.send(200) or send back error.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Ilja
  • 44,142
  • 92
  • 275
  • 498

1 Answers1

2

If I understand this, I think this can be done by firebase rules.

https://firebase.google.com/docs/reference/security/database/#location

In the example provided, a rule like : 

".write": "auth.uid === $user"

Would only allow authenticated users with the same uid as appears on the path to write data there.

I am uncertain if a 403 is returned. This implies that you are using firebase authentication, which is covered in some depth here, depending on the mechanism you are using for authentication.

cmonkey
  • 4,256
  • 1
  • 26
  • 46
  • 1
    Using rules is really the right answer here, if you do want to add authorization to an end-point we have an example on Github https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint – James Daniels Mar 23 '17 at 18:27