Firestore Rule is not working when updating a collection using a firebase function

579 views
Skip to first unread message

Marcus

unread,
Sep 9, 2019, 11:00:27 AM9/9/19
to Firebase Google Group
Hi,

I found a possible bug in the Firestore rule when updating a collection using a firebase function. 

I followed the suggested rule in the link below to prevent anyone from spam calling my API.

https://stackoverflow.com/questions/56487578/how-do-i-implement-a-write-rate-limit-in-cloud-firestore-security-rules

The Firestore rule works when updating a collection using a React application. However, the rule is not working when updating a collection using a firebase function. 


Has anyone implemented a security rule that works in firebase function?

Thanks,
Mark

Frank van Puffelen

unread,
Sep 9, 2019, 11:08:42 AM9/9/19
to Firebase Google Group
Code running in Cloud Functions accesses Firebase with administrative privileges. This means it bypasses the security rules you've set for your database. 

This means security rules can't be used to implement a write rate limit from Cloud Functions. You could however implement something similar directly in your Cloud Functions code, reading the user document, and only allowing the operation if enough time has passed. You'll want to use a transaction for this, since you're updating the user document based on its current value.

    puf

Marcus

unread,
Sep 10, 2019, 8:42:16 PM9/10/19
to Firebase Google Group
Thanks Puf! 

If I create my API using a node js & express, will the firestore rules work?

Kato Richardson

unread,
Sep 10, 2019, 10:13:27 PM9/10/19
to Firebase Google Group
Hi Marcus,

WHen using the Admin SDK you authenticate with a service account, which provides unrestricted access. Rules aren't applied here.

If you want the write to occur with the privileges of the client, then just have the client perform the write. You can still trigger your Functions code to run after the fact if there's some server work needed, but it no longer needs to be concerned with verifying identity or write integrity.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9e6cc6e3-e12c-408f-b5af-6e7592d16a56%40googlegroups.com.


--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Reply all
Reply to author
Forward
0 new messages