Reputation: 131
Initialise Admin Firebase App for each logged in user
I am creating a website in nodejs (expressjs) that will use the firebase Admin Auth API to authenticate a user using id-token-verification.
This token will then be saved to a server session, to be used for queries to the realtime database that will be made from the server.
My question is regarding limiting privileges, the docs say that the databaseAuthVariableOverride should be used to mimic a user using their uid
Taken from the admin auth docs:
If you want your server to emulate user actions like accessing the Firebase Realtime Database as that user, you should first verify and decode an ID token for that user. Then, make use of the databaseAuthVariableOverride option to limit the privileges of your server
so for each user:
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
databaseURL: "https://databaseName.firebaseio.com",
databaseAuthVariableOverride: {
uid: userId1
}
}, userId1)
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
databaseURL: "https://databaseName.firebaseio.com",
databaseAuthVariableOverride: {
uid: userId2
}
}, userId2)
Would it be feasible to initialise a new firebaseApp for each user that is logged in, or is there a standard way to handle limiting privileges for multiple users?
Upvotes: 0
Views: 684
Answers (1)
Reputation: 317467
That's not exactly how the admin SDK was intended to be used. You certainly could simulate a user this way, but it's not a best practice.
Users are supposed to read and write their own data through the client. Security rules exist for them because you can't trust that they'll play by the rules you want.
On the server, since you control all the logic, you don't need to simulate end users, because you can trust that your own code will do the right thing with any data that it reads and writes.
The uid property is intended to implement a temporary drop in privileges to another type of administrative role that you control - not to simulate your end users. That uid would typically be hard-coded in security rules that define the level of privilege for that role or service. A better description of how this works can be found here. (This was the link on the word "here" in the bit of docs that you cited.)
Upvotes: 3
Related Questions
- initializeApp when adding firebase to app and to server
- Firebase Admin SDK global app initialization in Node.js
- How to authenticate an user in firebase-admin in nodejs?
- how to initialize multiple app in firebase admin
- Firebase Admin SDK to Log user in from Server
- How to configure Firebase Admin to initialize app based on environment of the request?
- how to initializeApp in firebase with admin privilege
- Firebase Functions Typescript initializeAdmin() with specific uid
- Firebase Admin SDK - Current Logged In User - Nodejs
- Filter User From Firebase AdminSDK