firebase-admin-node icon indicating copy to clipboard operation
firebase-admin-node copied to clipboard

Published 20 hours ago verified publisher icon firebase

FR: Make databaseAuthVariableOverride work for Firestore

Open adamduren opened this issue 6 years ago • 21 comments

From what I understand databaseAuthVariableOverride does not work for Firestore. This was important in the real time database to make sure that scripts don't execute with unchecked permissions. Is there an alternative for Firestore?

adamduren avatar Nov 09 '17 15:11 adamduren

I believe there's some ongoing work to support this. @mikelehen should know more.

hiranya911 avatar Nov 09 '17 18:11 hiranya911

cc/ @mcdonamp

This is a good feature request and we've had some internal discussions about how we might try to support this in the future, but it will probably not be something we can accommodate in the near term unfortunately.

mikelehen avatar Nov 09 '17 22:11 mikelehen

The near term recommendation that I offer is: have your function mint a custom auth token and then use the client libs instead of the admin ones.

In the future, we're seeing how we could either:

  • Bake this functionality into the SDK
  • Add a side-channel to accept a second credential (the user credential) in addition to the service credential

asciimike avatar Nov 09 '17 23:11 asciimike

Yea, that was the first thought I had but the js-sdk is incompatible with node per https://github.com/firebase/firebase-js-sdk/issues/221.

adamduren avatar Nov 09 '17 23:11 adamduren

@adamduren You are correct. We may have a solution for that in the next week or two though. Stay tuned.

mikelehen avatar Nov 10 '17 00:11 mikelehen

I'd love to be able to continue to use my existing validation rules on the server. It really helps me on keeping the database consistent and monomorphic... I guess that validation based only on the data format is not possible without also taking into account authentication rules and permissions, right? Do you guys have any news to share with us? Thanks.

lucasavila00 avatar Jan 29 '18 18:01 lucasavila00

@degroote22 this is still a topic in active discussion, but unfortunately we don't have a great answer at the moment, as it's technically surprisingly tricky. We'll make sure to reach out to interested folks via these channels when we have more news to share (ideally news in the form of an EAP ;)

asciimike avatar Jan 29 '18 19:01 asciimike

Just poppin' in here to say that I think this is a great feature idea, and I can't wait to see it land :v:

One of my favorite features of Firebase is how the client library is optional. Limiting the permissions of server-side scripts is an important step in allowing devs to skip out on the client library with confidence when using Firestore.

Thanks for all your work, Firebase team!

jamesplease avatar May 16 '18 05:05 jamesplease

+1 I consider this to be a key security feature... any update?

kglowacki avatar Jun 15 '18 17:06 kglowacki

Can we expect this in the near future? It would be really helpful!

DanielMenke avatar Sep 10 '18 13:09 DanielMenke

Unfortunately it requires some changes to underlying infrastructure that I don't see coming anytime soon, so I'd rely on also performing server-side validation when using those clients.

asciimike avatar Sep 10 '18 17:09 asciimike

Given that the transaction API of the client sdk doesn't match the transaction api of the admin sdk, I can't even replace the sdk usage in my functions with the client sdk. =(

https://github.com/firebase/firebase-js-sdk/issues/2112

lookfirst avatar Aug 25 '19 18:08 lookfirst

I believe that I hit a wall until I found this issue. My problem is outlined here: https://stackoverflow.com/questions/63294542/cannot-impersonate-user-with-firebase-admin-during-firestore-calls

I believe the answer is: it's not possible, because Google didn't make impersonating possible for Firestore with admin-sdk?

Is my assumption correct?

@mikelehen or @schmidt-sebastian any news on this?

mesqueeb avatar Aug 07 '20 02:08 mesqueeb

That statement is still correct, but this is an often requested feature, so don't give up hope yet :)

schmidt-sebastian avatar Aug 07 '20 05:08 schmidt-sebastian

For integrity and security Reasons, we use Cloud Functions as an API layer and never directly write to Firestore from the client. We're looking at how to better manage access control and this feature would make a huge difference.

Specifically, we could use the authVariableOverride to scope Admin API requests (from our API layer) down to the user calling the function, which would in turn allow us to use native security rules instead of having to come up with our own access control system.

I hope you consider reprioritizing this functionality. It would really improve the flexibility of the Admin API and provide improved security at the same time.

jakebiesinger-storyhealth avatar Oct 14 '20 02:10 jakebiesinger-storyhealth

Would love this feature! Any updates?

magnusnilsen avatar Jan 30 '21 13:01 magnusnilsen

upvoting this feature request here too 👍 Any updates?

abba-logico-srl avatar Apr 09 '21 08:04 abba-logico-srl

I'd love to have this.

sanny-io avatar Oct 31 '21 16:10 sanny-io

+1 to this feature, is very important for can use a native rules, any update?

saidgeek avatar Apr 27 '22 07:04 saidgeek

@schmidt-sebastian any update from the Firebase team?

It looks like a highly requested feature, especially for large applications built on Firebase. At the moment we are using the alternative of authenticating the firebase-js-sdk with a custom token, but at scale, we can easily reach some quota on identitytoolkit.googleapis.com.

SamyPesse avatar Jun 11 '22 14:06 SamyPesse

+1

andreav avatar Oct 06 '23 15:10 andreav