DEV Community

loading...

Operate Firestore data with robot account on server side

terrierscript profile image terrierscript ・1 min read

Firestore is good product. But when we operate to firestore from server side, that firestore-admin ignore rule and enable full access. It's scary point.

I came up with a rule-based way to access the firestore from the server side

Warning

This is PoC, I'm not try this in production.

Prerequirement

First, you need create service(robot) account on console.

Sample Code

const firebaseAdmin = require("firebase-admin")
const firebaseClient = require("firebase")
require("firebase/firestore");

// Paste your service account (create on prerequirement)
const serviceAccount = require( "./YOUR-SERVICE-ACCOUNT.json")

const firebaseConfig = {
  // YOUR FIREBASE CLIENT CONFIG
}

// Paste your service(robot) account id
const serviceAccountUserId = "YOUR_SERVICE_ACCOUNT_USER_ID"

const main = async () => {
  firebaseClient.initializeApp(firebaseConfig)

  firebaseAdmin.initializeApp({
    credential: firebaseAdmin.credential.cert(serviceAccount)
  })
  // Create custom token with admin
  const customToken = await firebaseAdmin.auth().createCustomToken(serviceAccountUserId)

  // Execute sign-in. You can fail write access when comment out next line.
  await firebaseClient.auth().signInWithCustomToken(customToken)

  const db = firebaseClient.firestore()

  // rule like...
  // match /auth/{someobj} {
  //    allow read, write: if request.auth != null;
  // }
  const result = await db.collection("/auth").add({
    foo: "baz",
  }).doc
  console.log(result)

  // Failed Example:
  // const resultFailed = await db.collection("/auth-cant-write").add({
  //   foo: "baz",
  // }).doc
  // console.log(resultFailed)
}
main()
Enter fullscreen mode Exit fullscreen mode

This will also help impersonate the user in server-side (like firebase-functions).

Discussion (0)

pic
Editor guide