3

In my firebase cloud functions I'm often reading a writing data from and to the firebase database. Considering that according to the documentation, functions run with admin privileges. As a result, all my security rules in the DB are bypassed. Considering that some of my functions are essentially API calls (HTTP triggers, etc), I'd like to enforce the DB rules.

Is there a way to use a non-administrative account from the firebase cloud functions?

Current code: 

const functions     = require('firebase-functions');
const admin         = require('firebase-admin');

admin.initializeApp(functions.config().firebase);

const ref = admin.database().ref();

I've tried to use the 'standard' firebase NPM module, but that won't work, deployment fails with some internal error - I guess it was not designed for such use (documentation seems to confirm this).

Community
  • 1
  • 1
Ashton
  • 1,265
  • 14
  • 23
  • Can you edit your question to give an example of the rules that you are expecting to be in place for both clients that write directly and Cloud Functions invoked anonymously over HTTP? – Doug Stevenson May 13 '17 at 23:01
  • Hi Doug, thanks for your attention. I think I understand your request. I've missed to mention that mobile clients use the HTTPS functions exclusively to interact with the DB. This is so because development started initially on Azure, but I fell in love with Functions when you released it. So we'll be migrating the mobile code to eventually interact directly with the DB, but for now we use this API-like approach. And I'd like to make sure that the DB rules are kept, even by the anonymously invoked functions. – Ashton May 14 '17 at 10:18
  • FUTURE VIEWERS: For anyone coming across this in the future, in [THIS ANSWER](https://stackoverflow.com/a/48601453/8026947) Doug provides a walk-through of how to mimic user-permissions in the Admin SDK. – JeremyW Sep 27 '19 at 18:36

1 Answers1

0

If your client app doesn't need to allow clients to write the database directly, I suggest you set the database security rules to read-only for all authorized users, then verify all data written via HTTPS function within the logic of the function itself. You'll have a lot more flexibility in expressing what's valid, and in the event a client sends invalid data, you'll be able to generate more useful error messages. (Security rules don't give you a strong indication what exactly is wrong with the write, only that it failed.)

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Thank you Doug for the follow up, I understand. The mobile clients do not write to the DB directly, but a web client does (which is what service providers will use). So unfortunately I can't disallow all authenticated clients to write. I kinda get the feeling that currently it's not possible to select a non-administrative account from the Functions. Would you confirm this please ? Then I can look into writing my own security as you suggested. – Ashton May 14 '17 at 20:04
  • @Doug is there an alternative to your answer above that would allow a cloud function to authenticate in a manner that would still enforce security rules? I'd rather use security rules than validate in functions – geg Dec 07 '20 at 22:52