6

How can we secure database via the rules that only allow Cloud Functions for Firebase to write data to certain locations, previously there was an option to add uid to admin client databaseAuthVariableOverride and use that uid in rules section, but now we initialise via admin.initializeApp(functions.config().firebase); so I’m not to sure about how to add additional params in.

EDIT is it a good idea to initiate with certificate for this instead? i.e

admin.initializeApp({
  credential: admin.credential.cert("/path-to-cert"),
  databaseURL: "database-url",
  databaseAuthVariableOverride: { uid: "some-id" }
});

What benefit does admin.initializeApp(functions.config().firebase) have over above and where is functions.config() actually getting data from, isn't this just a node module?

AL.
  • 36,815
  • 10
  • 142
  • 281
Ilja
  • 44,142
  • 92
  • 275
  • 498

1 Answers1

12

Normally, at the top of your Cloud Functions code, you have:

var functions = require('firebase-functions');

As part of the firebase-functions node module, you have access to a functions.config().firebase which is just an object which has everything you need to initialize the Admin SDKs, including your Database URL and a credential implementation (based off of Application Default Credentials). If you console.log(functions.config().firebase) in your code, you will see it just is an object with these properties and a few other ones you may want to use in your code.

You can add databaseAuthVariableOverride to this object to limit the Admin SDK's privileges. You can just overwrite the object itself:

var firebaseConfig = functions.config().firebase;
firebaseConfig.databaseAuthVariableOverride = {
  uid: 'some-uid',
  foo: true,
  bar: false
};
admin.initializeApp(firebaseConfig);

Or you can use something like Object.assign() to copy the relevant details to a new object:

var firebaseConfig = Object.assign({}, functions.config().firebase, {
  databaseAuthVariableOverride: {
    uid: 'some-uid',
    foo: true,
    bar: false
  }
});
admin.initializeApp(firebaseConfig);
jwngr
  • 4,284
  • 1
  • 24
  • 27
  • IIRC, the order of the arguments to `Object.assign()` are important. In the rare case that `functions.config().firebase` contains the `databaseAuthVariableOverride` property, it would override the one you've specified above. I'd recommend using `Object.assign({}, functions.config().firebase, { /* your overriding values */ })` to ensure that whatever you set stays as the final value. – samthecodingman Mar 23 '17 at 00:02
  • Is it a good idea to initiate admin with custom service worker cert instead? – Ilja Mar 23 '17 at 10:38
  • @Ilja - You can, but there is no benefit to doing that over using the credential provided in `functions.config().firebase`. And it requires you to manage your own service account key file, which is generally bad practice. @samthecodingman - Thanks for the tip. I've updated my code sample. – jwngr Mar 24 '17 at 05:13
  • It looks like the name of your project in firebase is the uid for your cloud functions. I'm still looking for documentation for further info. – dardub Apr 13 '17 at 18:31
  • I had a confusion with Cloud Functions and Firebase Functions, then I was trying to use this code within a Firebase Function. If any wants to know how to give only to a Firebase function to write access, the answer was written here http://stackoverflow.com/q/43642900/894026 taking care to indicate within the rules to deny to everybody – moonw Apr 26 '17 at 21:13