Authenticating Firestore operations on the server? #159
-
|
Hi folks, thanks for the great package. I've got client-side firestore auth working, so that firestore operations done on the client follow my firestore rules. But I've been struggling to figure out how to get it working on the server; what I wanted to do was define a getServerSideProps that would access Firestore as the auth'd user, but I haven't been able to do this. The general goal is to have my Firestore rules apply to a user's request, whether it's happening on the server or not. I could initialize server-side Firestore from firebase-admin, but it seems that that would require application-level security (i.e. check that the AuthUser's ID matches against the resource we're loading), which I would prefer to avoid. The more I look into this, the more it seems like this goal might require the server to do something like, "for every single request, call firebase.auth().signInWithCredential() before loading data" (which this doc section seems to imply would be necessary: https://nextjs.org/docs/authentication#firebase). That doesn't sound like a great idea. I can provide more background if that would be helpful. To summarize, my questions are: What's the right way to authenticate Firestore operations on the server using next-firebase-auth? If there isn't a good way, do I have any options besides (a) use admin.firestore() on the server or (b) just don't use Firestore on the server? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
As far as I understand this question, you are trying to apply security rules for Firestore calls from an Admin SDK? You must be aware that Firebase Admin SDK doesn't pass through Firebase Security Rules layer. It directly interacts with Firebase. Hope this answers what you are looking for. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, and thanks for getting back to me. It sounds like I'm not missing out on some feature that would allow me to easily auth Firestore operations on the server, which is what I was wondering, so I think my question is answered. Thanks again! |
Beta Was this translation helpful? Give feedback.
-
|
@tlamarre91 This module doesn't provide any particular functionality around Firebase access/authorization. You'll have whatever tools the Node Firebase admin module provides. This documentation suggests you can limit the privileges of an admin user, which might let you scope the access to a particular end user's ID: Let me know if that helps! |
Beta Was this translation helpful? Give feedback.
-
|
Hey, that actually helps a lot, thanks! |
Beta Was this translation helpful? Give feedback.
As far as I understand this question, you are trying to apply security rules for Firestore calls from an Admin SDK?
You must be aware that Firebase Admin SDK doesn't pass through Firebase Security Rules layer. It directly interacts with Firebase.
And if you need an AuthUser's I'd for a Firestore write, you must user
withFirebaseUserSSR.Hope this answers what you are looking for.