How can I have both public and private end points using admin sdk?

0
votes

I am hosting an express app on Firebase Hosting with a Cloud Functions backend. My front end app sends the token to backend code (express app) to verify the user. I need both public and private api endpoints. I see there is a sample code (middleware for validating firebase id token) for securing api end points with admin sdk. Link to the code: https://github.com/firebase/functions-samples/blob/master/authorized-https-endpoint/functions/index.js

The endpoint in the code is only accessed by the authenticated user but how can I also have endpoints for non Authenticated user (public end points)?

2
firebasefirebase-authenticationgoogle-cloud-functions

2 Answers

2
votes

You can just make a decision in your endpoint what to do based on the information provided by the client. If the client provides an ID token, then check it. If not, then don't. Decide in your function what should be allowed in either case.

If you really must have two different endpoints, that's OK. Configure your express app to accept requests at two different locations, and configure them to behave differently as needed.

1
votes

The basic answer is to just have the "public" endpoints not use the validation middleware. There are multiple ways of accomplishing this.

  1. Split the express app into two sections "public" and "private". The "private" section should include the middleware while the "public" won't.
  2. Have two HTTPS endpoints: "public" and "private"; each being its own express app.
  3. Use the validation middleware on an endpoint by endpoint basis (i.e. api/user/userid1/change-name will use the middleware while api/about will not).

If you don't know how to integrate middleware to implement one of the above solutions, here is the ExpressJS docs on how to use router.use to include middleware.