3

So I'm trying to build an http endpoint using a Cloud function. This cloud function is only invoked after the user signs in. So I can pass the user token and verify it on the server side. I understand how to do this.

I also have security rules on my Firestore collections with authorization rules set up using request.auth.uid. This also just works if I use the firebase web sdk.

But my question is - how do I use the same authorization rules via cloud functions? I don't want to rewrite my auth logic separately for the http endpoint.

na_ka_na
  • 1,558
  • 1
  • 12
  • 15

2 Answers2

3

Security rules only apply to access from web and mobile SDKs. It does not apply to code using any of the server SDKs, including the Firebase Admin SDK and anything you would use with Cloud Functions. You will have to apply your own logic to check the validity of data before it's added to Firestore. The same is true for Realtime Database and Cloud Storage security rules.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
2

As you use the admin sdk in your functions, the check for the auth looks a bit different. Just watch this video from The Net Ninja. He is explaining how to do this. Just use the generated token instead what’s been used in the video.

Constantin Beer
  • 5,447
  • 6
  • 25
  • 43
  • I watched the video, thanks! This is exactly what I hope to avoid though. He is writing custom authorization logic in the cloud function. I want all authorization logic to be in the security rules. – na_ka_na Aug 28 '19 at 09:14
  • But if you use cloud functions, you bypass security rules if you using the admin sdk. – Constantin Beer Aug 28 '19 at 09:20
  • Yes and my question is - how do I not bypass those rules? Is there a way? – na_ka_na Aug 28 '19 at 10:28
  • No, there is none. In one of the Firebase videos on YouTube (I think it was the one about security rules) they mention that. – Constantin Beer Aug 28 '19 at 10:44