0

Is there a way to apply the Firestore security rules to the admin SDK yet?

I want to apply the rules to my callable functions. I would rather not have to write them again in nodejs. According to this article from 2019 it is possible with Realtime database but not Firestore.

Tip #1: Admin SDK bypasses security rules As you explore security rules in depth, you will eventually discover that requests from the Firebase Admin SDK are not gated by rules. The Admin SDK is initialized with a service account, which gives the SDK full access to your data. In Firebase Realtime Database, you can scope the Admin SDK's privileges to a user ID, and enforce rules as usual. But other products, most notably Google Cloud Firestore, don't support this feature yet. You should be mindful about that when implementing server-side data access operations.

Source: https://firebase.googleblog.com/2019/03/firebase-security-rules-admin-sdk-tips.html

Note: I am aware this has been asked before but all the questions seem at least a couple of years old.

MadMac
  • 4,048
  • 6
  • 32
  • 69
  • Not at all snarky question: why do you WANT to apply rules to Admin SDK - the entire POINT is it's privileged code, entirely under your control, in a secure environment. Just what, exactly, do you need security protection FROM? – LeadDreamer Jan 20 '21 at 20:14
  • If a user can call a callable function I don't want them to be able to read data they are not allowed to see. For example: I have 2 users and user1 calls a callable function and returns data for user2. I either have to write code to check for this OR I can just use the rules I have already written. Keep in mind anyone can write an app to call my callable functions. – MadMac Jan 20 '21 at 20:25
  • Also I want to apply the validation rules to make sure the data has the quality expected. – MadMac Jan 20 '21 at 23:34
  • In a Cloud Function "Validation" is writing your code correctly; **it's your code**. The reason for Security Rules from *clients* is the browser is NOT a trusted environment - you *cannot* guarantee the code has not been tampered with. In a Cloud Function environment you *know* your code is secure and doing *exactly* what you designed it to do (you do test it, right?). Security Rules are NOT there for you to be lazy about code. – LeadDreamer Jan 21 '21 at 16:42
  • I get your point but needless duplication and maintenance of two sets of rules seems like a bad use of time in my opinion and prone to inconsistencies. In SQL databases you can put restrictions on the database and it does not matter where the transaction comes from. If it breaks the rules it is rejected. One source of truth. Same if you go through a single data layer. If it is a technical limitation then I can accept that, but otherwise I think one source of truth is the best bet. I am open to having my mind changed if there is a good argument. – MadMac Jan 22 '21 at 03:09
  • They aren't MEANT to be rules to establish the "integrity" of your database; they are meant to protect the SECURITY of your database from untrustworthy environments like the browser - and to do so without increasing the cost or latency of access. Why would your code running in a trusted secure environment be in danger of risking the integrity of your database - unless you don't trust the skill or integrity of yourself or your team - if which case you have FAR bigger concerns? – LeadDreamer Jan 22 '21 at 05:51

0 Answers0