One App, Multiple Projects
338 views
Skip to first unread message
Matt Crane
Jul 10, 2022, 9:19:44 PM7/10/22
to Firebase Google Group
Not sure on the best way to achieve this, and forgive my terminology. I want to create (i think) a hybrid multi-instance/multi-tenant architecture with a CMS app and multiple firestore projects.
What i could do
User logs into my CMS app and once authenticated they can access their data based on what their userId has access to , i.e all their data could be under a collection users with all their data in subcollections belonging to the document with their userID (or something to that effect)
What i could do
User logs into my CMS app and once authenticated they can access their data based on what their userId has access to , i.e all their data could be under a collection users with all their data in subcollections belonging to the document with their userID (or something to that effect)
What I want to do
I want the user to be authenticated, but once logged their data is retrieved from a separate google project. Why? Because i would prefer for the data to be separated, and be able to manage the project in a more individual way. For example, if the client decides they want to part ways, or we need to get a bit complex with their setup, or they have a requirement for their data to be partitioned away from others' data, then this will make sense, it then also means I can be more specific with the firebase auth config in each project.
so let's call my CMS APP Project 1 (using Firebase auth and Firestore*)
*there is a firestore in project 1, with some config to say what Joe can access in the CMS and to handle any billing bits)
Joe Bloggs authenticates on myapp.com/login against Project and succeeds.
He is then taken to his dashboard and the data is pulled from Project 2. Any records he created in the CMS are stored to Project 2. Joes website interacts with Project 2 via cloud function hosted Graph QL
Jess Blogs signs up for CMS App, and a new Project is created (Project 3) and Jess logins in (authenticated against project 1). Jess creates some records in the CMS and the records are created in the firestore in her project (Project 3)
It feels like this is possible as I can use connect to do instances with the relevant api key and project id. But the black hole of information for me is.
1. When Jess signs up, could I automatically create a new firebase project/web app and firebase instance + deploy a cloud function (for the Graph QL)? If so what's the best way to do this, can it all be done in node js?
2. How can I grant access to Project 3, when Jess signs in an authenticate against project 1 (I thought maybe I could store the API key and project id as a custom claim, so i could then access that data from the auth object and use that to connect the 2nd instance of a firebase in my cms app....however, my spidey senses say may its unsafe to do it that way?
I feel like I'm close but after days of reading up, i'm concerned I'm barking up the wrong tree perhaps?
so let's call my CMS APP Project 1 (using Firebase auth and Firestore*)
*there is a firestore in project 1, with some config to say what Joe can access in the CMS and to handle any billing bits)
Joe Bloggs authenticates on myapp.com/login against Project and succeeds.
He is then taken to his dashboard and the data is pulled from Project 2. Any records he created in the CMS are stored to Project 2. Joes website interacts with Project 2 via cloud function hosted Graph QL
Jess Blogs signs up for CMS App, and a new Project is created (Project 3) and Jess logins in (authenticated against project 1). Jess creates some records in the CMS and the records are created in the firestore in her project (Project 3)
It feels like this is possible as I can use connect to do instances with the relevant api key and project id. But the black hole of information for me is.
1. When Jess signs up, could I automatically create a new firebase project/web app and firebase instance + deploy a cloud function (for the Graph QL)? If so what's the best way to do this, can it all be done in node js?
2. How can I grant access to Project 3, when Jess signs in an authenticate against project 1 (I thought maybe I could store the API key and project id as a custom claim, so i could then access that data from the auth object and use that to connect the 2nd instance of a firebase in my cms app....however, my spidey senses say may its unsafe to do it that way?
I feel like I'm close but after days of reading up, i'm concerned I'm barking up the wrong tree perhaps?
In case it's of use, this may describe what i'm trying to achieve https://www.figma.com/file/kpCOPjX8IEzJXK2N9Drinw/Setup?node-id=1%3A180
Any help would be greatly appreciated :-)
Thanks
I have a CMS app deployed that uses firebase authentication and firestore.
Ultimately i only want to keep the one CMS deployed, but when a user logs in it should connect them to the relevant Firebase project, that contains their data
Kato Richardson
Jul 11, 2022, 11:23:58 AM7/11/22
to Firebase Google Group
> 1. When Jess signs up, could I automatically create a new firebase project/web app and firebase instance + deploy a cloud function (for the Graph QL)? If so what's the best way to do this, can it all be done in node js?
Most of this can be done with the Management API. But it's not a perfect solution.
> 2. How can I grant access to Project 3, when Jess signs in an authenticate against project 1
For Google Sign In, there is a setting here to safelist clients, which would allow OAuth tokens for project 1 to be used to authenticate to project 3 (you configure this in project 3). For other providers, you would likely need to sign your own tokens to make this work.
But this seems to contradict your overall goals of separating the projects and likely creates the same security concerns you're trying to avoid by using separate projects. You're probably just as well off using custom claims to isolate tenants in a single project.
> i'm concerned I'm barking up the wrong tree perhaps?
Multi-tenancy across multiple projects is not a use case Firebase is optimizing for. It's likely that this is just a lot of work to achieve what's already built into the security rules, which will allow you to completely isolate data by tenant through claims. You'll likely end up with cobbled together tooling to connect the projects under your app, such as your authentication mechanism, which provides the same opportunities for oversights in the security layer. A case where multiple projects are probably very useful is if you scale massively and begin to exceed write throughputs or connection limits.
Of course, you know your use case best, so I'll get off the soapbox here. And there is at least a perception your clients may find this more secure. Additionally, if you avoid any crossover functionality (e.g. build separate app releases for each client that only access their particular projects) this could work as well.
One more thing you didn't mention here that will be fairly critical for this sort of approach: You will need a way to build out a tenant map and to migrate tenants during breaking changes and upgrades to your database structures. So invest some thought into a release strategy including Remote Config that will provide you flexible ways to switch out project ids and databases, perhaps even configure authentication mechanisms (which might be a good alternative to multiple projects for this purpose). A simple tenent approach here is probably to just set a user property in Analytics, which matches the tenant identified in the custom Auth claim, providing you a full range of tools across the board for matching up your tenants through all the Firebase services.
☼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/43d2ba2b-dd2f-4a11-9c74-d587e0549e36n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages