My client app is accessing to Firestore through API created by Firebase Functions. However, the Firebase Functions imports firebase-admin
which bypass all the defined security rule. Is there any way I can make my HTTP triggers Function to act as a specific user (for example, by passing an access token from client to server), so that the Functions works under influence of Firebase Functions as well.
There is currently no way to do this. The Firestore SDK for node doesn't have a way of scoping its access to the database as a particular authenticated user.
Note that this is different than the Realtime Database SDK, which does allow you to scope to a uid.
I think it is possible to access Firestore via an admin-sdk but scope it to the logged-in user if you are use REST APIs to access Firestore.
For authentication, the Cloud Firestore REST API accepts either a Firebase Authentication ID token or a Google Identity OAuth 2.0 token. The token you provide affects your request's authorization:
Use Firebase ID tokens to authenticate requests from your application's users. For these requests, Cloud Firestore uses Cloud Firestore Security Rules to determine if a request is authorized.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With