Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others


0 votes
in Technique[技术] by (71.8m points)

node.js - Restrict firestore access to admin-sdk

I am designing an application (let's call it a TodoList app) based on VueJs (for the UI) + NodeJs (for the backend, which will run in Google Cloud Platform) + Firestore (for the auth + database).

I have wandered through the huge documentation of Google (sometimes redundant!) to achieve something that should work but I am not sure it's production-proof.


  • A user has signed-in on my VueJs app thanks to the password-based authentication of Firebase (and the user's credentials, including his accessToken, are stored in my Vuex store).
  • The Firebase Admin SDK is running on my backend.
  • My VueJs app is requesting my backend.
  • The backend verifies the accessToken sent in the client-side request
  • It is my backend that request my Firestore database thanks to the Admin SDK

I have set some security rules on my Firestore database:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId}/{document=**} {
      allow read, write: if request.auth.uid == userId;

so that I don't want any logged users to access data from another user.


As the Firebase Admin SDK has full privilege on my Firestore database, how can I make sure there won't be any security issues. For now, I am just verifying the accessToken sent in the request to my backend, but ... something makes me feel wrong with this!


On client-side:

auth.onAuthStateChanged((user) => {
  if (user) {
    // Save the user credentials

On server-side:

// idToken comes from the client app (shown above)
// ...
  .then(function(decodedToken) {
    var uid = decodedToken.uid;
    // Retrieve or add some data in /users/{userId}/{document=**}
  }).catch(function(error) {
    // Handle error

As you can see, once I validate the accessToken and retrieve the uid, I can do anything on my database.


Thanks for your help!

See Question&Answers more detail:os

Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
Waitting for answers

Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question
