1

I'm using firebase cloud functions with the admin sdk in order to perform some operations on the realtime database on behalf of the user.

For example, if the user wants to store a new parameter on the database, it will press a button on its android client which relies on a directly callable function (onCall). This callable function will save the parameter in the right location in the database.

Now, I understand the onCall function receives automatically some info about the user in the context parameter, such as the user id and the token, but I don't know if these parameters are used to control the effective identity of the user.

Since the function is running with the admin sdk in full privilege mode, I want to be sure that the user is who he claims to be. In a scenario in which one user steals the uid of another user, and calls the function with this uid but with its own Auth token, he will be detected?

Does the function check if the user id (uid) is compliant with the Auth token?

If yes, the only thing I have to do is to check if context.auth is different from null?

igol
  • 127
  • 1
  • 8
  • 1
    Just to confirm, the android client is calling the cloud function which is then accessing firestore/db via the admin API. If so, check out https://stackoverflow.com/questions/42751074/how-to-protect-firebase-cloud-function-http-endpoint-to-allow-only-firebase-auth for how to protect the function. – R. Wright Oct 17 '18 at 21:01
  • Ok, my android client uses the firebase client libraries, so I can rely on callable function instead of the simple Https triggered functions. In the question you linked, one of the answer states that callable functions ensures the authenticity of the user, but I still don't understand if the function controls only the token, or also the token-uid compliance. – igol Oct 17 '18 at 21:11
  • The auth.uid is validated so you can count on that being valid/matching the token. However, the Firebase admin api does not run the security rules so you need to ensure your update or query validates the use has access. – R. Wright Oct 17 '18 at 21:15
  • I still don't get it. What does it mean that the auth.uid is validated? If it is validated because it matches the token, ok, I'm sure about the authenticity of the user. – igol Oct 17 '18 at 21:24
  • The auth.uid is passed as a parameter from the android function, or is it generated automatically on server side from the token? – igol Oct 17 '18 at 21:27
  • The value comes directly from the validated Auth token (jwt). https://firebase.google.com/docs/reference/functions/functions.https.html#.CallableContext – R. Wright Oct 17 '18 at 21:30
  • Ok, so if it is generated on server-side using the Auth token, I will have always the right id, and the only thing I need to control is if context.auth exist. Once I assured its presence, I can perform all the database updates I wanted. I was thinking at a situation in which a malignant user could replace its auth.id with another one. – igol Oct 17 '18 at 21:39
  • Correct. You can trust the value. – R. Wright Oct 17 '18 at 21:40

1 Answers1

0

Just to move from the comments, the context.auth.uid value is validated server side, so you can trust that the user hasn't manipulated the value. (See the code here.) Now, when you use the firestore or realtime db admin API, the function has access to any value in the database, so you do need to ensure the user has access to the value in the DB (i.e. add a where uid='uid').

R. Wright
  • 960
  • 5
  • 9
  • I want to ensure only logged in users are able to execute callable function. Is it a secure approach to wrap callable function code in a `if(context.auth.user.uid){}` block? Or is it possible to lock down access to a function outside of its code itself. – 1252748 Feb 28 '21 at 21:01