3

So I'm trying to build an http endpoint using a Cloud function. This cloud function is only invoked after the user signs in. So I can pass the user token and verify it on the server side. I understand how to do this.

I also have security rules on my Firestore collections with authorization rules set up using request.auth.uid. This also just works if I use the firebase web sdk.

But my question is - how do I use the same authorization rules via cloud functions? I don't want to rewrite my auth logic separately for the http endpoint.

Improve this question

2 Answers 2

Reset to default
3

Security rules only apply to access from web and mobile SDKs. It does not apply to code using any of the server SDKs, including the Firebase Admin SDK and anything you would use with Cloud Functions. You will have to apply your own logic to check the validity of data before it's added to Firestore. The same is true for Realtime Database and Cloud Storage security rules.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Is there any plan to add that as a feature?!
Not that I know of. You could file a feature request. support.google.com/firebase/contact/support
2

As you use the admin sdk in your functions, the check for the auth looks a bit different. Just watch this video from The Net Ninja. He is explaining how to do this. Just use the generated token instead what’s been used in the video.

Improve this answer

4 Comments

I watched the video, thanks! This is exactly what I hope to avoid though. He is writing custom authorization logic in the cloud function. I want all authorization logic to be in the security rules.
But if you use cloud functions, you bypass security rules if you using the admin sdk.
Yes and my question is - how do I not bypass those rules? Is there a way?
No, there is none. In one of the Firebase videos on YouTube (I think it was the one about security rules) they mention that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.