Firebase Installation auth tokens validation from Firestore Rules

1
votes

I want to have a Firestore collection that can only be accessed by a specific Firebase installation. For example,

/MyPrivateInstallationCollection/{FirebaseInstallationID}

According to the docs, Firebase Installation auth tokens exist but they are different to Firebase Auth tokens. https://firebase.google.com/docs/projects/manage-installations#retrieve_auth_tokens

In Firestore security reference docs, there is no trace of Installation IDs. https://firebase.google.com/docs/reference/rules/rules.firestore.Request

Is it possible to use Firebase Installation Tokens from Firestore security rules?

How can FIS auth tokens be validated? How are they supposed to be used?

1
firebasegoogle-cloud-firestorefirebase-authenticationfirebase-security

1 Answers

1
votes

Installation IDs are not automatically included in the auth token of the user.

If you want to include the installation ID in the auth token, you can set it as a custom claim using an Admin SDK in a trusted environment.

Alternatively, you can include a mapping from the UID (which is included in the auth token) to their Installation IDs, and then check against that in your security rules. Keep in mind that a user can have multiple devices, so allow for multiple Installation IDs per UID in your data structure.