0

I am going to develop a new web app with complicated logic using nodejs.

I am attracted by firebase because of its convenient user authentication/login (google, facebook, twitter, email-pass login/registration just by lines of code and setting)

Is there any problem if I use google cloud function for server side.

  • Q1: Is firestore fully secured? I have experience with firebase realtime database. But with firebase realtime database, all users have nearly similar privilege once they logged in (with any account). It is serious security problem

  • Q2: Can the mentioned above security problem be solved by using google cloud function?

  • Q3: Can I do any logic, i.e. requireing any external library, in google cloud function? Is there any limitation that google cloud function can't do, compared with standalone nodejs server?

  • Q4 (maybe not related to the main topic): Should I design my app to rely on firebase authentication, which also means my app has to call a firebase API to check for user credentiality, and client web need to load firebase SDK. Is this a good practise on app performance and scalibility?

Thank you very much in advance

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Sang
  • 4,049
  • 3
  • 37
  • 47
  • Can you elaborate on Q1? In my experience it is possible to implement many security scenarios in [Firebase's security rules language](https://firebase.google.com/docs/database/security/). While the rules language for Firestore is different, the concept is the same. – Frank van Puffelen Jun 01 '18 at 02:44

1 Answers1

0

Theoretically yes you can use functions as an entry point to your Firestore so you can handle data. However you can write complex security rules with RTDB and Firestore... I mean you end up with a massive .rules file, but you totally can. Just as a sample:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
    match /profiles/{uid} {
      allow read, update: if request.auth.uid == uid;
    }
    match /bookmarks/{key} {
      allow create: if request.auth.uid != null && request.auth.uid == request.resource.data.uid;
      allow read: if request.auth.uid != null && request.auth.uid == resource.data.uid;
      allow update: if request.auth.uid != null && request.resource.data.uid == resource.data.uid;
    }
}

I mean you can continue to build out the rules, even to validate fields, but this pretty much only allows the owner of the doc to make any changes or creations. And definitely prevents deletion.

You can also effectively use anything you would use for a node server on Firebase Functions. (Or Google Cloud Functions) I'd take a look at this answer too.

MichaelSolati
  • 2,847
  • 1
  • 17
  • 29