How to write database rules for Firebase Cloud Functions?
1,070 views
Skip to first unread message
Jonas Bengtsson
Jun 21, 2017, 12:26:30 AM6/21/17
to Firebase Google Group
Hey,
I'm writing a cloud function that triggers on a database event, does something with the data and deletes it from the database. Normal users should be able to write to that path, but only my cloud function should be able to delete the data.
How do I write rules that target the cloud function user? How does it's auth variable look? Can I configure the uid somehow?
Thanks in advance!
Cheers,
Jonas
Alex Memering
Jun 21, 2017, 1:29:57 PM6/21/17
to Firebase Google Group
There isn't really a default Cloud Function user. When you access `event.data.ref` that gives you back a Database reference that has the same end-user permissions that wrote to the Database location that your Function is watching. In a lot of cases this is quite useful, but it seems like you don't want your users to have that kind of access normally. `event.data.adminRef` is also exposed, but that gives full read and write access, again not quite what you seem to want.
Instead what you probably want to do is to use the auth variable override option when initializing the admin SDK. With that you can provide an object that will be used in the security rules as the `auth` variable, giving you full control of it. So you can pick some known UID value and have you Function's admin SDK ref use that, then write security rules that only allow your Function access to particular parts of your Database.
Hope that helps,
Alex
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5ed3db29-7942-4fc9-8e20-bb543965b4b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
| Alex Memering | | Software Engineer | | meme...@google.com |
Tom Larkworthy
Jun 21, 2017, 1:43:07 PM6/21/17
to Firebase Google Group
Would it be ok to trust the function code to work correctly and use the adminRef to bypass security rules, then write a rule for authenticated users to limit them to create only i.e. ".write":"!data.exists() && newData.exists()". I don't think you need the function to have a custom auth unless you specifically want to limit its privileged access.
On Wed, Jun 21, 2017 at 10:29 AM, Alex Memering <meme...@firebase.com> wrote:
There isn't really a default Cloud Function user. When you access `event.data.ref` that gives you back a Database reference that has the same end-user permissions that wrote to the Database location that your Function is watching. In a lot of cases this is quite useful, but it seems like you don't want your users to have that kind of access normally. `event.data.adminRef` is also exposed, but that gives full read and write access, again not quite what you seem to want.Instead what you probably want to do is to use the auth variable override option when initializing the admin SDK. With that you can provide an object that will be used in the security rules as the `auth` variable, giving you full control of it. So you can pick some known UID value and have you Function's admin SDK ref use that, then write security rules that only allow your Function access to particular parts of your Database.Hope that helps,Alex
On Tue, Jun 20, 2017 at 9:26 PM Jonas Bengtsson <jon...@gmail.com> wrote:
Hey,--I'm writing a cloud function that triggers on a database event, does something with the data and deletes it from the database. Normal users should be able to write to that path, but only my cloud function should be able to delete the data.How do I write rules that target the cloud function user? How does it's auth variable look? Can I configure the uid somehow?Thanks in advance!Cheers,Jonas
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5ed3db29-7942-4fc9-8e20-bb543965b4b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Alex Memering | Software Engineer | meme...@google.com
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAO0wbvg4uYBP%2BMSXFcHvsAFodPR%2B41sKk5A%3D1_mZq9%3DabWrDYQ%40mail.gmail.com.
Jonas Bengtsson
Jun 21, 2017, 7:27:30 PM6/21/17
to Firebase Google Group
Thanks Alex and Tom!
That event.data.ref uses the end-user's permissions and that there's also event.data.adminRef was something that I've missed. Using adminRef (without any rules) works for me, and I'm happy with that.
The reason why I don't want the user to be able to delete the data is that I use it as a queue (for FCM messages), so I'm using a global queue and don't want users to be able to mess with other users' messages.
Cheers,
Jonas
On Wednesday, 21 June 2017 19:43:07 UTC+2, Tom Larkworthy wrote:
Would it be ok to trust the function code to work correctly and use the adminRef to bypass security rules, then write a rule for authenticated users to limit them to create only i.e. ".write":"!data.exists() && newData.exists()". I don't think you need the function to have a custom auth unless you specifically want to limit its privileged access.
On Wed, Jun 21, 2017 at 10:29 AM, Alex Memering <meme...@firebase.com> wrote:
There isn't really a default Cloud Function user. When you access `event.data.ref` that gives you back a Database reference that has the same end-user permissions that wrote to the Database location that your Function is watching. In a lot of cases this is quite useful, but it seems like you don't want your users to have that kind of access normally. `event.data.adminRef` is also exposed, but that gives full read and write access, again not quite what you seem to want.Instead what you probably want to do is to use the auth variable override option when initializing the admin SDK. With that you can provide an object that will be used in the security rules as the `auth` variable, giving you full control of it. So you can pick some known UID value and have you Function's admin SDK ref use that, then write security rules that only allow your Function access to particular parts of your Database.Hope that helps,Alex
On Tue, Jun 20, 2017 at 9:26 PM Jonas Bengtsson <jon...@gmail.com> wrote:
Hey,--I'm writing a cloud function that triggers on a database event, does something with the data and deletes it from the database. Normal users should be able to write to that path, but only my cloud function should be able to delete the data.How do I write rules that target the cloud function user? How does it's auth variable look? Can I configure the uid somehow?Thanks in advance!Cheers,Jonas
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5ed3db29-7942-4fc9-8e20-bb543965b4b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Alex Memering | Software Engineer | meme...@google.com
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
Doug Stevenson
Jun 21, 2017, 8:55:07 PM6/21/17
to Firebase Google Group
Jonas,
During my session at I/O, I go over a way to use Cloud Functions as a command queue that allows clients to push descriptions of work into the database while Cloud Functions does all the manipulations (it's a simple game). Security rules are set up so that only a user can push command into their own space identified by their uid, which allows Cloud Functions to securely determine who the user is. Maybe this type of system would be of help?
Doug
Reply all
Reply to author
Forward
0 new messages