0

I want to ask about Firebase Admin SDK in case for using Custom Claim between two related apps: Server App and Client App. Each of them has different features. They are all placed inside the same Firebase project, but using different collection. Both apps are using Cloud Function which have different file of Node.js. I put all the Cloud Function codes in different project of Visual Studio Code.

For example in this code for Server App:

claims = {
  serverFeatureA: true,
  serverFeatureB: false,
};

admin.auth().setCustomUserClaims(uid, claims);

And this is for Client App:

claims = {
   clientFeatureA: true,
   clientFeatureB: false,
};

admin.auth().setCustomUserClaims(uid, claims);

What I am worrying is if the same Gmail account uses these both apps and Cloud Function assigns its claims for different features? Will this overwrite the old claims written in Client App and only exist in Server App if user subscribed to Client first, then Server? Any help will be great. Thanks.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
Wege
  • 177
  • 2
  • 11
  • You mention that "They are all placed inside the same Firebase project": so can you confirm that these users are using the same authentication service of this Firebase project. You also write that "(you) put all the Cloud Function codes in different project.": do you confirm that here you are speaking about different projects in your development environment/IDE. Not different **Firebase** projects. – Renaud Tarnec Jun 26 '22 at 09:40
  • Yeah, Renaud. Those apps are using the same Firebase project. I meant the Cloud Function codes is in different Visual Studio Code project, not Firebase. I am sorry. I am gonna fix my question above. – Wege Jun 26 '22 at 09:44

1 Answers1

2

Since you have only ONE Firebase project (which means one set of users declared in the authentication service of this Firebase project), when one of your Cloud Functions updates the Custom Claims assigned to a user of this project it overwrites the Custom Claims previously set for this user (independently of the Cloud Function that previously set the Claims).

What you can do to avoid that is to check, in each of your Cloud Functions, that the user that is going to be updated does not hold the Claims of the other profile. In other words, prior to assign a Server App claim to a specific user you check that this user does not have the Client App claim, and vice-versa.

The code to do so depends on your Cloud Function trigger type and code.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • 1
    I see. That means before user's uid is added as new member inside Server Collection, I have to check the user's claims first and if user doesn't have any Custom Claims from Server App, then I have to upgrade all of the Claims for both apps. So, I need to create function to check it both for Client App and Server App. Thank you very much for your help, Renaud. God blesses you. – Wege Jun 26 '22 at 09:50
  • I think the tutorial for my case can be found on this website: https://firebase.google.com/docs/auth/admin/custom-claims#node.js – Wege Jun 26 '22 at 10:07
  • I just thought up a way for my case. I think it is much better to assign the Users whom signed up to Client App using claim as {client: true}. Then if Users are also trying to sign up on Server App, then I need to check in its own Cloud Function whether this User has claim {client: true}. If it doesn't have any, then sign it up as new User with claim {server: true}. – Wege Jun 27 '22 at 09:22
  • I think the best way to achieve non-overwriting claims is to assign different claims on Client and Server app. For example in Client app, we define all premium features with different names compared to the ones exist inside Server app. This way, there won't be any overlapping claims. – Wege Jul 02 '22 at 10:59