2

I am trying to secure my real time database using security rules at specific nodes.

I understand that Firebase rules will apply when I write/ read using my device.

What if the write / read happened to be from Cloud Functions?

If I secured (users) node then does Cloud Functions know that (users) is secured? or it reads and writes anyway?

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Hasan Bou Taam
  • 4,017
  • 2
  • 12
  • 22

1 Answers1

8

When you use the Firebase Admin SDK to access Realtime Database, by default it has full read and write access. The assumption with the Admin SDK is that you're running in a privileged environment where the code is fully under your control, and you know exactly what you're doing.

The fact that your code is running in Cloud Functions has no bearing on any of this. It could just as easily be running on your desktop or some other server you control. This is a property of the Admin SDK.

If you want to change the scope of access to Realtime Database, you will have to know the end user's UID, then initialize the SDK to limit the scope of its privilege to that UID using databaseAuthVariableOverride at the time of init.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • 1
    So this means that firebase functions will actually by default overpass the security rules? – Hasan Bou Taam Mar 11 '18 at 06:50
  • And I have to manually write security rules from the actual function? – Hasan Bou Taam Mar 11 '18 at 06:52
  • 2
    Please read my answer again. Running code Cloud Functions doesn't change anything. Initializing the Admin SDK with a service account credentials gives you full control over the project. If you want to impose constraints, write that into your code. – Doug Stevenson Mar 11 '18 at 07:14
  • 2
    @svi.data Code running in Cloud Functions uses the Admin SDK to access Firestore. The Admin SDK by default runs with administrative privileges that bypass your security rules. This is by design so that your administrative code can do things that regular user-code can not do, without complicating your security rules. – Frank van Puffelen Mar 11 '18 at 07:21
  • @FrankvanPuffelen are you saying that I shouldn't worry about security rules in case of writing to my database through functions? – Hasan Bou Taam Mar 11 '18 at 07:24
  • 1
    @FrankvanPuffelen If functions bypass the real time database rules, then how should we prevent them from writing where they shouldn't? – Hasan Bou Taam Mar 11 '18 at 07:31
  • Your code should only do exactly what you want it to do. If you require it to be constrained by some rules, then write those constraints into your code. – Doug Stevenson Mar 11 '18 at 07:32
  • 1
    so we have to worry about writing rules from security rules tab for client side, and we have to worry another time to writing same rules in firebase function code.....seems like doing the work twice? – Hasan Bou Taam Mar 11 '18 at 07:34
  • It's up to you how much you want to worry about either side. It's a discussion that goes far deeper than could be explored in a Stack Overflow question. If you want a discussion about the pros and cons, please start a discussion on firebase-talk. https://groups.google.com/forum/#!forum/firebase-talk – Doug Stevenson Mar 11 '18 at 07:36
  • 1
    It would have been much much easier if firebase functions detect the already posted rules. But anyway thanks for your reply Doug Stevenson and @FrankvanPuffelen. – Hasan Bou Taam Mar 11 '18 at 07:39
  • @svi.data I'm not sure you understand correctly what Doug is trying to explain up here. It's a very good thing that the Admin SDK is bypassing the security rules, this is the intended behaviour for any "admin" SDK. You're responsible for running it in a secure environment where you users do not have access to it. – schankam Feb 13 '19 at 08:12