FR: Make databaseAuthVariableOverride work for Firestore #132
Comments
|
I believe there's some ongoing work to support this. @mikelehen should know more. |
|
cc/ @mcdonamp This is a good feature request and we've had some internal discussions about how we might try to support this in the future, but it will probably not be something we can accommodate in the near term unfortunately. |
|
The near term recommendation that I offer is: have your function mint a custom auth token and then use the client libs instead of the admin ones. In the future, we're seeing how we could either:
|
|
Yea, that was the first thought I had but the js-sdk is incompatible with node per firebase/firebase-js-sdk#221. |
|
@adamduren You are correct. We may have a solution for that in the next week or two though. Stay tuned. |
|
I'd love to be able to continue to use my existing validation rules on the server. |
|
@degroote22 this is still a topic in active discussion, but unfortunately we don't have a great answer at the moment, as it's technically surprisingly tricky. We'll make sure to reach out to interested folks via these channels when we have more news to share (ideally news in the form of an EAP ;) |
|
Just poppin' in here to say that I think this is a great feature idea, and I can't wait to see it land ✌️ One of my favorite features of Firebase is how the client library is optional. Limiting the permissions of server-side scripts is an important step in allowing devs to skip out on the client library with confidence when using Firestore. Thanks for all your work, Firebase team! |
|
+1 |
|
Can we expect this in the near future? It would be really helpful! |
|
Unfortunately it requires some changes to underlying infrastructure that I don't see coming anytime soon, so I'd rely on also performing server-side validation when using those clients. |
|
Given that the transaction API of the client sdk doesn't match the transaction api of the admin sdk, I can't even replace the sdk usage in my functions with the client sdk. =( |
|
I believe that I hit a wall until I found this issue. I believe the answer is: it's not possible, because Google didn't make impersonating possible for Firestore with admin-sdk? Is my assumption correct? @mikelehen or @schmidt-sebastian any news on this? |
|
That statement is still correct, but this is an often requested feature, so don't give up hope yet :) |
|
For integrity and security Reasons, we use Cloud Functions as an API layer and never directly write to Firestore from the client. We're looking at how to better manage access control and this feature would make a huge difference. Specifically, we could use the authVariableOverride to scope Admin API requests (from our API layer) down to the user calling the function, which would in turn allow us to use native security rules instead of having to come up with our own access control system. I hope you consider reprioritizing this functionality. It would really improve the flexibility of the Admin API and provide improved security at the same time. |
|
Would love this feature! Any updates? |
|
upvoting this feature request here too 👍 |
|
I'd love to have this. |
|
+1 to this feature, is very important for can use a native rules, any update? |
|
@schmidt-sebastian any update from the Firebase team? It looks like a highly requested feature, especially for large applications built on Firebase. At the moment we are using the alternative of authenticating the |
|
+1 |
Uh oh!
There was an error while loading. Please reload this page.
From what I understand
databaseAuthVariableOverridedoes not work for Firestore. This was important in the real time database to make sure that scripts don't execute with unchecked permissions. Is there an alternative for Firestore?The text was updated successfully, but these errors were encountered: