How to check Firebase Rules User Permissions via Cloud Functions HTTP request

0
votes

I am using Firebase Cloud Functions and created a couple of HTTP requests.

To authenticate the user, I verify the ID toke using the admin sdk.

const decoded = await admin.auth().verifyIdToken(`${tokenId}`);

Is there a way to check if the user has the permissions to read/write from a cloud function depending on the Security Rules without manually checking the same rules in cloud functions?

2
typescriptfirebase-realtime-databasegoogle-cloud-functionsfirebase-securityfirebase-admin
Hey Tal. Did you see my answer below? Did that make sense? Did you try it out?Frank van Puffelen

2 Answers

1
votes

Is there a way to check if the user has the permissions to read/write from a cloud function depending on the Security Rules without manually checking the same rules in cloud functions?

  1. Cloud Functions use the Firebase Admin Node.js SDK, and therefore they run with administrative privilege and they totally bypass the security rules.
  2. There is no way, from a Cloud Function, to check the authorization for a given user against the Security Rules (RTDB, Firestore or Cloud Storage).

Conclusion: You need to implement the logic in your Cloud Function in order to mimic your Security Rules.

Note that the Admin SDK gives the possibility to read the Security Rules code (see the doc here and here), but, again, you need to implement the business logic that checks against those rules. So it does not bring any help in your specific case.

0
votes

You can actually make your Cloud Function access the Realtime Database as the user that called it by setting the databaseAuthVariableOverride when initializing the Admin SDK. For full details on this, see the Firebase documentation on accessing the database with limited permissions from the Admin SDK.

This setting is only available for the Realtime Database, so if you ever switch to using Firestore you'll have to do as Renaud answered.