Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
708 views
in Technique[技术] by (71.8m points)

node.js - Restrict firestore access to admin-sdk

I am designing an application (let's call it a TodoList app) based on VueJs (for the UI) + NodeJs (for the backend, which will run in Google Cloud Platform) + Firestore (for the auth + database).

I have wandered through the huge documentation of Google (sometimes redundant!) to achieve something that should work but I am not sure it's production-proof.

Situation:

  • A user has signed-in on my VueJs app thanks to the password-based authentication of Firebase (and the user's credentials, including his accessToken, are stored in my Vuex store).
  • The Firebase Admin SDK is running on my backend.
  • My VueJs app is requesting my backend.
  • The backend verifies the accessToken sent in the client-side request
  • It is my backend that request my Firestore database thanks to the Admin SDK

I have set some security rules on my Firestore database:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId}/{document=**} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}

so that I don't want any logged users to access data from another user.

Question:

As the Firebase Admin SDK has full privilege on my Firestore database, how can I make sure there won't be any security issues. For now, I am just verifying the accessToken sent in the request to my backend, but ... something makes me feel wrong with this!

Code:

On client-side:

auth.onAuthStateChanged((user) => {
  if (user) {
    // Save the user credentials
  }
}

On server-side:

// idToken comes from the client app (shown above)
// ...
admin.auth().verifyIdToken(idToken)
  .then(function(decodedToken) {
    var uid = decodedToken.uid;
    // Retrieve or add some data in /users/{userId}/{document=**}
  }).catch(function(error) {
    // Handle error
  });

As you can see, once I validate the accessToken and retrieve the uid, I can do anything on my database.

References

Thanks for your help!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...