Firebase admin on backend for verifyIdToken and use Firestore

Question

I'm trying to use Firebase Admin on my backend for "faking" client authentication by verifying Id Token in order to use firestore from the backend.

The idea is to use my server as a middleware between my client and firestore.

I can initialize FirebaseAdmin on the backend and verifyIdToken() from client properly, but I don't have an idea for using firestore after that. Can you guys show me a way for doing it?

import * as firebaseAdmin from 'firebase-admin';
import firebaseServiceAccountKey from './firebaseServiceAccountKey.json';

if (!firebaseAdmin.apps.length) {
  firebaseAdmin.initializeApp({
    credential: firebaseAdmin.credential.cert(
      firebaseServiceAccountKey
    ),
    databaseURL: ##########################,
  });
}

// This is working 
function getUser(token) {
  return firebaseAdmin
    .auth()
    .verifyIdToken(token)
    .then((decodedToken) => {
      return decodedToken;
    })
    .catch((error) => {
      return error
    });
}

/* 
Now I want to use Firestore authenticated with this token, should I 
import firebase from "firebase" 
and then try auth() with token?
*/

Answer 1

Access to Firestore through the Admin SDK always happens with full administrative privileges. There is no way to access Firestore as the user whose token you verified.

If you want to use this middleware approach, you will have to ensure it only accesses data the user is authorized for in the code itself.

Also see:

• Pass user auth to Firestore from Cloud functions
• How to make Firebase Functions act as a user instead of being an admin?

---

If the goal is to have tighter control over who can sign in to your app, consider using custom authentication instead - where the server mints a custom token for each user, that the client-side SDK then uses to sign in.