1

My question is very similar to the one found here however that question never seem to get fully answered.

I have a set of HTTPS Post calls within cloud functions that write to my firebase realtime database.

For example:

app.post('/api/dosomething', (req, res) => {
    //implementation...
});

The problem is when I write to the DB I am doing so as an admin hence all security rules get ignored.

import * as functions from 'firebase-functions';
const admin = require('firebase-admin')
admin.initializeApp(functions.config().firebase)

I tired the following but receive an error in my functions log

const nonadmin = require('firebase')
nonadmin.initializeApp(functions.config().firebase);

I am having trouble finding documentation on how to obtain a non admin database reference. I read this post here however that is based off of a trigger and using the returned event object. In my cloud function I am using a post request.

Padawan
  • 770
  • 1
  • 8
  • 18

2 Answers2

1

There is currently no way to modify the scope of the Firestore SDK to behave as a certain user, in order for security rules to apply. This is something the engineering team is looking into.

The question you linked to is old. Ever since Functions SDK version 1.0, event.data.ref (for Realtime Database) is no longer scoped to the user that made the change. Again, the team is looking into alternatives.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
0

Firebase currently doesn't have a NodeJS client library.

If you really need the security rules to be applied, you can use the REST API. You'd make the call to save/retrieve data with a HTTP Client like axios for example.

Rosário Pereira Fernandes
  • 11,015
  • 6
  • 55
  • 79
  • This isn't what the OP is asking for. They want the force the Firestore SDK to be scoped to a particular user, in order for security rules to apply. – Doug Stevenson May 27 '18 at 09:09