Firestore is good product. But when we operate to firestore from server side, that firestore-admin ignore rule and enable full access. It's scary point.
I came up with a rule-based way to access the firestore from the server side
Warning
This is PoC, I'm not try this in production.
Prerequirement
First, you need create service(robot) account on console.
Sample Code
const firebaseAdmin = require("firebase-admin")
const firebaseClient = require("firebase")
require("firebase/firestore");
// Paste your service account (create on prerequirement)
const serviceAccount = require( "./YOUR-SERVICE-ACCOUNT.json")
const firebaseConfig = {
// YOUR FIREBASE CLIENT CONFIG
}
// Paste your service(robot) account id
const serviceAccountUserId = "YOUR_SERVICE_ACCOUNT_USER_ID"
const main = async () => {
firebaseClient.initializeApp(firebaseConfig)
firebaseAdmin.initializeApp({
credential: firebaseAdmin.credential.cert(serviceAccount)
})
// Create custom token with admin
const customToken = await firebaseAdmin.auth().createCustomToken(serviceAccountUserId)
// Execute sign-in. You can fail write access when comment out next line.
await firebaseClient.auth().signInWithCustomToken(customToken)
const db = firebaseClient.firestore()
// rule like...
// match /auth/{someobj} {
// allow read, write: if request.auth != null;
// }
const result = await db.collection("/auth").add({
foo: "baz",
}).doc
console.log(result)
// Failed Example:
// const resultFailed = await db.collection("/auth-cant-write").add({
// foo: "baz",
// }).doc
// console.log(resultFailed)
}
main()
This will also help impersonate the user in server-side (like firebase-functions).
Top comments (0)