Trigger permissions in Firestore

Question

I've been able to set permissions to my Firestore database, the logic behind the rule is restrict users to be authenticated and belong to a specific domain.

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if isUserAndSignedIn();
    }
  }

  function isUserAndSignedIn(){
    return request.auth != null && request.auth.token.email.matches('.*@domain[.]com')
  }
}

The rule works fine for CRUD operations as expected but it doesn't work for triggers, in my case I'm getting the following error when the trigger is executed (cloud function):

FirebaseError: Missing or insufficient permissions.
    at new FirestoreError (/srv/node_modules/@firebase/firestore/dist/index.node.cjs.js:348:28)
    at JsonProtoSerializer.fromRpcStatus (/srv/node_modules/@firebase/firestore/dist/index.node.cjs.js:5385:16)
    at JsonProtoSerializer.fromWatchChange (/srv/node_modules/@firebase/firestore/dist/index.node.cjs.js:5883:44)
    at PersistentListenStream.onMessage (/srv/node_modules/@firebase/firestore/dist/index.node.cjs.js:14779:43)
    at /srv/node_modules/@firebase/firestore/dist/index.node.cjs.js:14708:30
    at /srv/node_modules/@firebase/firestore/dist/index.node.cjs.js:14748:28
    at /srv/node_modules/@firebase/firestore/dist/index.node.cjs.js:10612:20
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:228:7)

Any Idea how can I solve this in the rule? how can I bypass a trigger in the rules execution for the database?

The cloud function isn't relevant I just can access it, but it's configured like this: exports.subscribe = functions.firestore.document('users/{uid}') .onUpdate(handler.subscribe); — pedrommuller, Sep 05 '18 at 13:46
Cloud functions should use the admin API which bypasses the security rules entirely, so seeing the actual code for the function would be helpful. — robsiemb, Nov 04 '19 at 21:50

Trigger permissions in Firestore

0 Answers0